use context-local security limits that can be overwritten by client

libheif/CMakeLists.txt

@@ -36,6 +36,7 @@ set(libheif_sources
         nclx.cc
         nclx.h
         plugin_registry.h
+        security_limits.cc
         security_limits.h
         init.cc
         init.h

libheif/api/libheif/heif.cc

@@ -19,6 +19,7 @@
  */
 
 #include "heif_plugin.h"
+#include "security_limits.h"
 #include "region.h"
 #include "common_utils.h"
 #include <cstdint>
@@ -323,7 +324,7 @@ int heif_has_compatible_brand(const uint8_t* data, int len, const char* brand_fo
   BitstreamRange range(stream, len);
 
   std::shared_ptr<Box> box;
-  Error err = Box::read(range, &box);
+  Error err = Box::read(range, &box, heif_get_global_security_limits());
   if (err) {
     if (err.sub_error_code == heif_suberror_End_of_data) {
       return -1;
@@ -355,7 +356,7 @@ struct heif_error heif_list_compatible_brands(const uint8_t* data, int len, heif
   BitstreamRange range(stream, len);
 
   std::shared_ptr<Box> box;
-  Error err = Box::read(range, &box);
+  Error err = Box::read(range, &box, heif_get_global_security_limits());
   if (err) {
     if (err.sub_error_code == heif_suberror_End_of_data) {
       return {err.error_code, err.sub_error_code, "insufficient input data"};
@@ -479,6 +480,36 @@ const char* heif_get_file_mime_type(const uint8_t* data, int len)
 }
 
 
+const struct heif_security_limits* heif_get_global_security_limits()
+{
+  return &global_security_limits;
+}
+
+
+struct heif_security_limits* heif_context_get_security_limits(const struct heif_context* ctx)
+{
+  if (!ctx) {
+    return nullptr;
+  }
+
+  return ctx->context->get_security_limits();
+}
+
+
+struct heif_error heif_context_set_security_limits(struct heif_context* ctx, const struct heif_security_limits* limits)
+{
+  if (ctx==nullptr || limits==nullptr) {
+    return {heif_error_Usage_error,
+            heif_suberror_Null_pointer_argument};
+  }
+
+  ctx->context->set_security_limits(limits);
+
+  return heif_error_ok;
+}
+
+
+
 heif_context* heif_context_alloc()
 {
   load_plugins_if_not_initialized_yet();

libheif/api/libheif/heif.h

@@ -933,6 +933,7 @@ LIBHEIF_API
 void heif_context_free(struct heif_context*);
 
 
+
 struct heif_reading_options;
 
 enum heif_reader_grow_status
@@ -1100,6 +1101,39 @@ LIBHEIF_API
 void heif_context_set_max_decoding_threads(struct heif_context* ctx, int max_threads);
 
 
+// --- security limits
+
+// If you set a limit to 0, the limit is disabled.
+struct heif_security_limits {
+  uint8_t version;
+
+  // --- version 1
+
+  // Artificial limit to avoid allocating too much memory.
+  // 32768^2 = 1.5 GB as YUV-4:2:0 or 4 GB as RGB32
+  uint64_t max_image_size_pixels ;
+  uint32_t max_bayer_pattern_pixels;
+
+  uint32_t max_iref_references;
+  uint32_t max_iloc_items;
+  uint32_t max_iloc_extents_per_item;
+  uint32_t max_children_per_box;
+  uint64_t max_number_of_tiles;
+
+  uint32_t max_color_profile_size;
+  uint64_t max_memory_block_size;
+};
+
+LIBHEIF_API
+const struct heif_security_limits* heif_get_global_security_limits();
+
+LIBHEIF_API
+struct heif_security_limits* heif_context_get_security_limits(const struct heif_context*);
+
+LIBHEIF_API
+struct heif_error heif_context_set_security_limits(struct heif_context*, const struct heif_security_limits*);
+
+
 // ========================= heif_image_handle =========================
 
 // An heif_image_handle is a handle to a logical image in the HEIF file.

libheif/api/libheif/heif_experimental.h

@@ -334,8 +334,6 @@ struct heif_complex64* heif_image_get_channel_complex64(struct heif_image*,
                                                         enum heif_channel channel,
                                                         uint32_t* out_stride);
 
-
-
 #ifdef __cplusplus
 }
 #endif