Skip to content

Commit

Permalink
more sanity checks when reading iref box (should fix Cluster-Fuzz Iss…
Browse files Browse the repository at this point in the history
…ue 63008)
  • Loading branch information
farindk committed Oct 12, 2023
1 parent 94e5a84 commit 55dfd3d
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 1 deletion.
31 changes: 30 additions & 1 deletion libheif/box.cc
Original file line number Diff line number Diff line change
Expand Up @@ -2605,6 +2605,35 @@ Error Box_iref::parse(BitstreamRange& range)
}


// --- check number of total refs

size_t nTotalRefs = 0;
for (const auto& ref : m_references) {
nTotalRefs += ref.to_item_ID.size();
}

if (nTotalRefs > MAX_IREF_REFERENCES) {
return Error(heif_error_Memory_allocation_error, heif_suberror_Security_limit_exceeded,
"Number of iref references exceeds security limit.");
}

// --- check for cyclic references

for (const auto& ref : m_references) {
std::set<heif_item_id> to_ids;
for (const auto to_id : ref.to_item_ID) {
if (to_ids.find(to_id) != to_ids.end()) {
to_ids.insert(to_id);
}
else {
return Error(heif_error_Invalid_input,
heif_suberror_Unspecified,
"'iref' has double references");
}
}
}


// --- check for cyclic references

for (const auto& ref : m_references) {
Expand All @@ -2628,7 +2657,7 @@ Error Box_iref::parse(BitstreamRange& range)
// Otherwise, put that ID into the 'todo' set.

for (const auto& succ_ref_id : succ_ref.to_item_ID) {
if (reached_ids.find(succ_ref_id) != reached_ids.end()) {
if (reached_ids.find(succ_ref_id) != reached_ids.end()) {
return Error(heif_error_Invalid_input,
heif_suberror_Unspecified,
"'iref' has cyclic references");
Expand Down
2 changes: 2 additions & 0 deletions libheif/security_limits.h
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,6 @@ static const int64_t MAX_LARGE_BOX_SIZE = 0x0FFFFFFFFFFFFFFF;
static const int64_t MAX_FILE_POS = 0x007FFFFFFFFFFFFFLL; // maximum file position
static const int MAX_FRACTION_VALUE = 0x10000;

static const int MAX_IREF_REFERENCES = 10000;

#endif // LIBHEIF_SECURITY_LIMITS_H

0 comments on commit 55dfd3d

Please sign in to comment.