Add diagnostic messages if imageSizeLimit exceeded
Add custom diagnostic messages if item size, track size, or grid
dimensions exceed imageSizeLimit.
Related to https://github.com/AOMediaCodec/libavif/issues/263.
diff --git a/src/read.c b/src/read.c
index 4e3591b..667ff2f 100644
--- a/src/read.c
+++ b/src/read.c
@@ -1631,10 +1631,14 @@
CHECK(avifROStreamReadU32(&s, &grid->outputWidth)); // unsigned int(FieldLength) output_width;
CHECK(avifROStreamReadU32(&s, &grid->outputHeight)); // unsigned int(FieldLength) output_height;
}
- if ((grid->outputWidth == 0) || (grid->outputHeight == 0) || (grid->outputWidth > (imageSizeLimit / grid->outputHeight))) {
+ if ((grid->outputWidth == 0) || (grid->outputHeight == 0)) {
avifDiagnosticsPrintf(diag, "Grid box contains illegal dimensions: [%u x %u]", grid->outputWidth, grid->outputHeight);
return AVIF_FALSE;
}
+ if (grid->outputWidth > (imageSizeLimit / grid->outputHeight)) {
+ avifDiagnosticsPrintf(diag, "Grid box dimensions are too large: [%u x %u]", grid->outputWidth, grid->outputHeight);
+ return AVIF_FALSE;
+ }
return avifROStreamRemainingBytes(&s) == 0;
}
@@ -2365,10 +2369,14 @@
track->width = width >> 16;
track->height = height >> 16;
- if ((track->width == 0) || (track->height == 0) || (track->width > (imageSizeLimit / track->height))) {
+ if ((track->width == 0) || (track->height == 0)) {
avifDiagnosticsPrintf(diag, "Track ID [%u] has an invalid size [%ux%u]", track->id, track->width, track->height);
return AVIF_FALSE;
}
+ if (track->width > (imageSizeLimit / track->height)) {
+ avifDiagnosticsPrintf(diag, "Track ID [%u] size is too large [%ux%u]", track->id, track->width, track->height);
+ return AVIF_FALSE;
+ }
// TODO: support scaling based on width/height track header info?
@@ -3079,10 +3087,14 @@
item->width = ispeProp->u.ispe.width;
item->height = ispeProp->u.ispe.height;
- if ((item->width == 0) || (item->height == 0) || (item->width > (decoder->imageSizeLimit / item->height))) {
+ if ((item->width == 0) || (item->height == 0)) {
avifDiagnosticsPrintf(data->diag, "Item ID [%u] has an invalid size [%ux%u]", item->id, item->width, item->height);
return AVIF_RESULT_BMFF_PARSE_FAILED;
}
+ if (item->width > (decoder->imageSizeLimit / item->height)) {
+ avifDiagnosticsPrintf(data->diag, "Item ID [%u] size is too large [%ux%u]", item->id, item->width, item->height);
+ return AVIF_RESULT_BMFF_PARSE_FAILED;
+ }
} else {
avifDiagnosticsPrintf(data->diag, "Item ID [%u] is missing a mandatory ispe property", item->id);
return AVIF_RESULT_BMFF_PARSE_FAILED;
diff --git a/src/scale.c b/src/scale.c
index 81a1dba..7dcbd6c 100644
--- a/src/scale.c
+++ b/src/scale.c
@@ -36,10 +36,14 @@
return AVIF_TRUE;
}
- if ((dstWidth == 0) || (dstHeight == 0) || (dstWidth > (imageSizeLimit / dstHeight))) {
+ if ((dstWidth == 0) || (dstHeight == 0)) {
avifDiagnosticsPrintf(diag, "avifImageScale requested invalid dst dimensions [%ux%u]", dstWidth, dstHeight);
return AVIF_FALSE;
}
+ if (dstWidth > (imageSizeLimit / dstHeight)) {
+ avifDiagnosticsPrintf(diag, "avifImageScale requested dst dimensions that are too large [%ux%u]", dstWidth, dstHeight);
+ return AVIF_FALSE;
+ }
uint8_t * srcYUVPlanes[AVIF_PLANE_COUNT_YUV];
uint32_t srcYUVRowBytes[AVIF_PLANE_COUNT_YUV];
