image icon indicating copy to clipboard operation
image copied to clipboard
verified publisher icon image-rs

PNG decoding relies on `output_buffer_size()` function that may overflow

Open Shnatsel opened this issue 2 years ago • 1 comments

This happens in image 0.24.8

Expected

Images with buffer sizes too large for usize rejected early

Actual behaviour

I see PNG decoding code using output_buffer_size() from the PNG crate in multiple places. Looking at its implementation, the computation may silently overflow.

This was recently fixed in GIF in #2103, but PNG seems to be affected too.

I haven't actually tested this - there might be some early check that catches this, but even so the code is fragile.

Shnatsel avatar Jan 16 '24 02:01 Shnatsel

Doesn't seem to impact the main read_image method, but should still be fixed.

If anyone wants to look at resolving this, the total_bytes() method on PngDecoder (via the ImageDecoder trait) returns the same value, but as a u64 and computed with saturating multiplies so it doesn't overflow.

fintelia avatar Jan 16 '24 03:01 fintelia