Merge pull request #49 from lordnn/master

agruzdev · web-flow · commit d7a6ab70f3be · 2026-01-10T19:00:06.000+03:00
Fixed some CVEs
diff --git a/3rdParty/LibJXR/jxrgluelib/JXRMeta.c b/3rdParty/LibJXR/jxrgluelib/JXRMeta.c
@@ -246,33 +246,35 @@ ERR BufferCalcIFDSize(const U8* pbdata, size_t cbdata, U32 ofsifd, U8 endian, U3
 }
 
 
-ERR StreamCalcIFDSize(struct WMPStream* pWS, U32 uIFDOfs, U32 *pcbifd)
+static ERR StreamCalcIFDSizePrivate(struct WMPStream* pWS, U32 uIFDOfs, U32 *pcbifd, U32 rcnt)
 {
     ERR err = WMP_errSuccess;
     size_t offCurPos = 0;
     Bool GetPosOK = FALSE;
-    U16 cDir;
-    U32 i;
-    U32 ofsdir;
-    U32 cbifd = 0;
+    U16 cDir = 0;
     U32 cbEXIFIFD = 0;
     U32 cbGPSInfoIFD = 0;
     U32 cbInteroperabilityIFD = 0;
 
+    // sanity check: avoid infinite recursion
+    if (rcnt > 10) {
+        Call(WMP_errFail);
+    }
+
     *pcbifd = 0;
     Call(pWS->GetPos(pWS, &offCurPos));
     GetPosOK = TRUE;
 
     Call(GetUShort(pWS, uIFDOfs, &cDir));
-    cbifd = sizeof(U16) + cDir * SizeofIFDEntry + sizeof(U32);
-    ofsdir = uIFDOfs + sizeof(U16);
-    for ( i = 0; i < cDir; i++ )
+    U32 cbifd = sizeof(U16) + cDir * SizeofIFDEntry + sizeof(U32);
+    U32 ofsdir = uIFDOfs + sizeof(U16);
+    for (U16 i = 0; i < cDir; i++ )
     {
-        U16 tag;
-        U16 type;
-        U32 count;
-        U32 value;
-        U32 datasize;
+        U16 tag = 0;
+        U16 type = 0;
+        U32 count = 0;
+        U32 value = 0;
+        U32 datasize = 0;
 
         Call(GetUShort(pWS, ofsdir, &tag));
         Call(GetUShort(pWS, ofsdir + sizeof(U16), &type));
@@ -281,39 +283,48 @@ ERR StreamCalcIFDSize(struct WMPStream* pWS, U32 uIFDOfs, U32 *pcbifd)
         FailIf(type == 0 || type >= sizeof(IFDEntryTypeSizes) / sizeof(IFDEntryTypeSizes[0]), WMP_errUnsupportedFormat);
         if ( tag == WMP_tagEXIFMetadata )
         {
-            Call(StreamCalcIFDSize(pWS, value, &cbEXIFIFD));
+            Call(StreamCalcIFDSizePrivate(pWS, value, &cbEXIFIFD, rcnt + 1));
         }
         else if ( tag == WMP_tagGPSInfoMetadata )
         {
-            Call(StreamCalcIFDSize(pWS, value, &cbGPSInfoIFD));
+            Call(StreamCalcIFDSizePrivate(pWS, value, &cbGPSInfoIFD, rcnt + 1));
         }
         else if ( tag == WMP_tagInteroperabilityIFD )
         {
-            Call(StreamCalcIFDSize(pWS, value, &cbInteroperabilityIFD));
+            Call(StreamCalcIFDSizePrivate(pWS, value, &cbInteroperabilityIFD, rcnt + 1));
         }
         else
         {
             datasize = IFDEntryTypeSizes[type] * count;
-            if ( datasize > 4 )
+            if (datasize > 4) {
                 cbifd += datasize;
+            }
         }
         ofsdir += SizeofIFDEntry;
     }
-    if ( cbEXIFIFD != 0 )
-        cbifd += ( cbifd & 1 ) + cbEXIFIFD;
-    if ( cbGPSInfoIFD != 0 )
-        cbifd += ( cbifd & 1 ) + cbGPSInfoIFD;
-    if ( cbInteroperabilityIFD != 0 )
-        cbifd += ( cbifd & 1 ) + cbInteroperabilityIFD;
+    if (cbEXIFIFD != 0) {
+        cbifd += (cbifd & 1) + cbEXIFIFD;
+    }
+    if (cbGPSInfoIFD != 0) {
+        cbifd += (cbifd & 1) + cbGPSInfoIFD;
+    }
+    if (cbInteroperabilityIFD != 0) {
+        cbifd += (cbifd & 1) + cbInteroperabilityIFD;
+    }
     *pcbifd = cbifd;
 
 Cleanup:
-    if ( GetPosOK )
-        Call(pWS->SetPos(pWS, offCurPos));
+    if (GetPosOK && WMP_errSuccess == err) {
+        err = pWS->SetPos(pWS, offCurPos);
+    }
     return ( err );
 }
 
 
+ERR StreamCalcIFDSize(struct WMPStream *pWS, U32 uIFDOfs, U32 *pcbifd)
+{
+    return StreamCalcIFDSizePrivate(pWS, uIFDOfs, pcbifd, 0);
+}
 
 // src IFD copied to dst IFD with any nested IFD's
 // src IFD is arbitrary endian, arbitrary data arrangement
@@ -322,28 +333,23 @@ ERR StreamCalcIFDSize(struct WMPStream* pWS, U32 uIFDOfs, U32 *pcbifd)
 ERR BufferCopyIFD(const U8* pbsrc, U32 cbsrc, U32 ofssrc, U8 endian, U8* pbdst, U32 cbdst, U32* pofsdst)
 {
     ERR err = WMP_errSuccess;
-    U16 cDir;
-    U16 i;
+    U16 cDir = 0;
     U16 ofsEXIFIFDEntry = 0;
     U16 ofsGPSInfoIFDEntry = 0;
     U16 ofsInteroperabilityIFDEntry = 0;
     U32 ofsEXIFIFD = 0;
     U32 ofsGPSInfoIFD = 0;
     U32 ofsInteroperabilityIFD = 0;
-    U32 ofsdstnextdata;
     U32 ofsdst = *pofsdst;
-    U32 ofssrcdir;
-    U32 ofsdstdir;
-    U32 ofsnextifd;
 
     Call(getbfwe(pbsrc, cbsrc, ofssrc, &cDir, endian));
     Call(setbfw(pbdst, cbdst, ofsdst, cDir));
-    ofsnextifd = ofsdst + sizeof(U16) + SizeofIFDEntry * cDir;
-    ofsdstnextdata = ofsnextifd + sizeof(U32);
+    U32 ofsnextifd = ofsdst + sizeof(U16) + SizeofIFDEntry * cDir;
+    U32 ofsdstnextdata = ofsnextifd + sizeof(U32);
 
-    ofssrcdir = ofssrc + sizeof(U16);
-    ofsdstdir = ofsdst + sizeof(U16);
-    for ( i = 0; i < cDir; i++ )
+    U32 ofssrcdir = ofssrc + sizeof(U16);
+    U32 ofsdstdir = ofsdst + sizeof(U16);
+    for (U16 i = 0; i < cDir; i++ )
     {
         U16 tag;
         U16 type;
@@ -476,32 +482,27 @@ ERR StreamCopyIFD(struct WMPStream* pWS, U32 ofssrc, U8* pbdst, U32 cbdst, U32*
     ERR err = WMP_errSuccess;
     size_t offCurPos = 0;
     Bool GetPosOK = FALSE;
-    U16 cDir;
-    U16 i;
+    U16 cDir = 0;
     U16 ofsEXIFIFDEntry = 0;
     U16 ofsGPSInfoIFDEntry = 0;
     U16 ofsInteroperabilityIFDEntry = 0;
     U32 ofsEXIFIFD = 0;
     U32 ofsGPSInfoIFD = 0;
     U32 ofsInteroperabilityIFD = 0;
-    U32 ofsdstnextdata;
     U32 ofsdst = *pofsdst;
-    U32 ofssrcdir;
-    U32 ofsdstdir;
-    U32 ofsnextifd;
 
     Call(pWS->GetPos(pWS, &offCurPos));
     GetPosOK = TRUE;
 
     Call(GetUShort(pWS, ofssrc, &cDir));
     Call(setbfw(pbdst, cbdst, ofsdst, cDir));
 
-    ofsnextifd = ofsdst + sizeof(U16) + SizeofIFDEntry * cDir;
-    ofsdstnextdata = ofsnextifd + sizeof(U32);
+    U32 ofsnextifd = ofsdst + sizeof(U16) + SizeofIFDEntry * cDir;
+    U32 ofsdstnextdata = ofsnextifd + sizeof(U32);
 
-    ofssrcdir = ofssrc + sizeof(U16);
-    ofsdstdir = ofsdst + sizeof(U16);
-    for ( i = 0; i < cDir; i++ )
+    U32 ofssrcdir = ofssrc + sizeof(U16);
+    U32 ofsdstdir = ofsdst + sizeof(U16);
+    for (U16 i = 0; i < cDir; i++ )
     {
         U16 tag;
         U16 type;
@@ -579,8 +580,9 @@ ERR StreamCopyIFD(struct WMPStream* pWS, U32 ofssrc, U8* pbdst, U32 cbdst, U32*
     *pofsdst = ofsdstnextdata;
 
 Cleanup:
-    if ( GetPosOK )
+    if (GetPosOK) {
         Call(pWS->SetPos(pWS, offCurPos));
+    }
     return err;
 }
 
diff --git a/Source/Plugins/PSDParser.cpp b/Source/Plugins/PSDParser.cpp
@@ -1319,41 +1319,36 @@ void psdParser::ReadImageLine(uint8_t* dst, const uint8_t* src, unsigned lineSiz
 	}
 }
 
-void psdParser::UnpackRLE(uint8_t* line, const uint8_t* rle_line, const uint8_t* line_end, unsigned srcSize) {
-	while (srcSize > 1) {
-		if (line >= line_end) {
-			return;
-		}
+static void UnpackRLE(uint8_t* line, const uint8_t* rle_line, unsigned dstSize, unsigned srcSize) {
+	while (srcSize > 1 && dstSize > 0) {
 
-		const uint8_t len_byte = *rle_line++;
-		srcSize--;
+		unsigned len = *rle_line++;
+		--srcSize;
 
 		// NOTE len is signed byte in PackBits RLE
 
-		if ( len_byte < 128 ) { //<- MSB is not set
+		if (len < 128) { //<- MSB is not set
 			// uncompressed packet
 
-			// (len + 1) bytes of data are copied
-			const uint32_t len = std::min(static_cast<uint32_t>(len_byte + 1), srcSize);
-
-			// assert we don't write beyound eol
-			memcpy(line, rle_line, line + len > line_end ? line_end - line : len);
+            // assert we don't write beyound eol
+            len = std::min({ len + 1, dstSize, srcSize });
+			memcpy(line, rle_line, len);
 			line += len;
 			rle_line += len;
 			srcSize -= len;
+            dstSize -= len;
 		}
-		else if ( len_byte > 128 ) { //< MSB is set
+		else if (len > 128 ) { //< MSB is set
 			// RLE compressed packet
 
 			// One byte of data is repeated (-len + 1) times
 
-			// same as (-len + 1) & 0xFF
-			const uint32_t len = (len_byte ^ 0xFF) + 2;
-
-			// assert we don't write beyound eol
-			memset(line, *rle_line++, line + len > line_end ? line_end - line : len);
+            // assert we don't write beyound eol
+            len = std::min((len ^ 0xFF) + 2, dstSize);
+			memset(line, *rle_line++, len);
 			line += len;
-			srcSize--;
+			--srcSize;
+            dstSize -= len;
 		}
 		else {
 			// 128 == len
@@ -1553,16 +1548,7 @@ FIBITMAP* psdParser::ReadImageData(FreeImageIO* io, fi_handle handle) {
 #endif
 			}
 
-			uint32_t largestRLELine = 0;
-			for (unsigned ch = 0; ch < nChannels; ++ch) {
-				for (unsigned h = 0; h < nHeight; ++h) {
-					const unsigned index = ch * nHeight + h;
-
-					if (largestRLELine < rleLineSizeList[index]) {
-						largestRLELine = rleLineSizeList[index];
-					}
-				}
-			}
+            const auto largestRLELine = *std::max_element(rleLineSizeList.get(), rleLineSizeList.get() + nChannels * nHeight);
 
 			auto rle_line_start = std::make_unique<uint8_t[]>(largestRLELine);
 
@@ -1572,7 +1558,6 @@ FIBITMAP* psdParser::ReadImageData(FreeImageIO* io, fi_handle handle) {
 					// @todo write to extra channels
 					break;
 				}
-				const uint8_t* const line_end = line_start.get() + lineSize;
 
 				const unsigned channelOffset = GetChannelOffset(bitmap, ch) * bytes;
 
@@ -1588,7 +1573,7 @@ FIBITMAP* psdParser::ReadImageData(FreeImageIO* io, fi_handle handle) {
 
 					// - write line to destination -
 
-					UnpackRLE(line_start.get(), rle_line_start.get(), line_end, rleLineSize);
+					UnpackRLE(line_start.get(), rle_line_start.get(), lineSize, rleLineSize);
 					ReadImageLine(dst_line_start, line_start.get(), lineSize, dstBpp, bytes);
 				}//< h
 			}//< ch
diff --git a/Source/Plugins/PSDParser.h b/Source/Plugins/PSDParser.h
@@ -316,7 +316,6 @@ class psdParser {
 	/**	Actually ignore it */
 	bool ReadLayerAndMaskInfoSection(FreeImageIO *io, fi_handle handle);
 	void ReadImageLine(uint8_t* dst, const uint8_t* src, unsigned lineSize, unsigned dstBpp, unsigned bytes);
-	void UnpackRLE(uint8_t* dst, const uint8_t* src, const uint8_t* dst_end, unsigned srcSize);
 	FIBITMAP* ReadImageData(FreeImageIO *io, fi_handle handle);
 	bool WriteLayerAndMaskInfoSection(FreeImageIO *io, fi_handle handle);
 	void WriteImageLine(uint8_t* dst, const uint8_t* src, unsigned lineSize, unsigned srcBpp, unsigned bytes);
diff --git a/Source/Plugins/PluginHDR.cpp b/Source/Plugins/PluginHDR.cpp
@@ -630,6 +630,9 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) {
 		if (!rgbe_ReadHeader(io, handle, &width, &height, &header_info)) {
 			return nullptr;
 		}
+        if (width > 65500 || height > 65500) {
+            throw FI_MSG_ERROR_DIB_MEMORY;
+        }
 
 		// allocate a RGBF image
 		std::unique_ptr<FIBITMAP, decltype(&FreeImage_Unload)> dib(FreeImage_AllocateHeaderT(header_only, FIT_RGBF, width, height), &FreeImage_Unload);
diff --git a/Source/Plugins/PluginTIFF.cpp b/Source/Plugins/PluginTIFF.cpp
@@ -386,7 +386,7 @@ static FIBITMAP*
 CreateImageType(FIBOOL header_only, FREE_IMAGE_TYPE fit, int width, int height, uint16_t bitspersample, uint16_t samplesperpixel) {
 	FIBITMAP *dib{};
 
-	if ((width < 0) || (height < 0)) {
+	if ((width < 0) || (height < 0) || (4 < samplesperpixel)) {
 		// check for malicious images
 		return nullptr;
 	}

Original file line number	Diff line number	Diff line change
`@@ -630,6 +630,9 @@ Load(FreeImageIO io, fi_handle handle, int page, int flags, void data) {`
`630`	`630`	`if (!rgbe_ReadHeader(io, handle, &width, &height, &header_info)) {`
`631`	`631`	`return nullptr;`
`632`	`632`	`}`
	`633`	`+ if (width > 65500 \|\| height > 65500) {`
	`634`	`+ throw FI_MSG_ERROR_DIB_MEMORY;`
	`635`	`+ }`
`633`	`636`
`634`	`637`	`// allocate a RGBF image`
`635`	`638`	`std::unique_ptr<FIBITMAP, decltype(&FreeImage_Unload)> dib(FreeImage_AllocateHeaderT(header_only, FIT_RGBF, width, height), &FreeImage_Unload);`
Original file line number	Diff line number	Diff line change
`@@ -386,7 +386,7 @@ static FIBITMAP*`
`386`	`386`	`CreateImageType(FIBOOL header_only, FREE_IMAGE_TYPE fit, int width, int height, uint16_t bitspersample, uint16_t samplesperpixel) {`
`387`	`387`	`FIBITMAP *dib{};`
`388`	`388`
`389`		`- if ((width < 0) \|\| (height < 0)) {`
	`389`	`+ if ((width < 0) \|\| (height < 0) \|\| (4 < samplesperpixel)) {`
`390`	`390`	`// check for malicious images`
`391`	`391`	`return nullptr;`
`392`	`392`	`}`