Merge pull request #203 from vstroebel/limits

HeroicKatora · web-flow · commit 630e4c848239 · 2022-03-26T16:01:59.000+01:00
Add limit for maximum output image
diff --git a/src/decoder.rs b/src/decoder.rs
@@ -96,6 +96,9 @@ pub struct Decoder<R> {
     coefficients: Vec<Vec<i16>>,
     // Bitmask of which coefficients has been completely decoded.
     coefficients_finished: [u64; MAX_COMPONENTS],
+
+    // Maximum allowed size of decoded image buffer
+    decoding_buffer_size_limit: usize,
 }
 
 impl<R: Read> Decoder<R> {
@@ -115,9 +118,15 @@ impl<R: Read> Decoder<R> {
             exif_data: None,
             coefficients: Vec::new(),
             coefficients_finished: [0; MAX_COMPONENTS],
+            decoding_buffer_size_limit: usize::MAX,
         }
     }
 
+    /// Set maximum buffer size allowed for decoded images
+    pub fn set_max_decoding_buffer_size(&mut self, max: usize) {
+        self.decoding_buffer_size_limit = max;
+    }
+
     /// Returns metadata about the image.
     ///
     /// The returned value will be `None` until a call to either `read_info` or `decode` has
@@ -532,6 +541,15 @@ impl<R: Read> Decoder<R> {
 
         let frame = self.frame.as_ref().unwrap();
 
+        if {
+            let required_mem = frame.components.len()
+                .checked_mul(frame.output_size.width.into())
+                .and_then(|m| m.checked_mul(frame.output_size.height.into()));
+            required_mem.map_or(true, |m| self.decoding_buffer_size_limit < m)
+        } {
+            return Err(Error::Format("size of decoded image exceeds maximum allowed size".to_owned()));
+        }
+
         // If we're decoding a progressive jpeg and a component is unfinished, render what we've got
         if frame.coding_process == CodingProcess::DctProgressive
             && self.coefficients.len() == frame.components.len()
