Skip to content

Commit

Permalink
check security limit for number of 'tild' tiles
Browse files Browse the repository at this point in the history
  • Loading branch information
@farindk
farindk committed Oct 5, 2024
1 parent 437e6c4 commit 6d5888c
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 6 deletions.
25 changes: 20 additions & 5 deletions libheif/image-items/tild.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,15 +248,23 @@ Error Box_tilC::parse(BitstreamRange& range)
}


void TildHeader::set_parameters(const heif_tild_image_parameters& params)
Error TildHeader::set_parameters(const heif_tild_image_parameters& params)
{
m_parameters = params;

if (number_of_tiles(params) > MAX_TILD_TILES) {
return {heif_error_Unsupported_filetype,
heif_suberror_Security_limit_exceeded,
"Number of tiles exceeds security limit"};
}

m_offsets.resize(number_of_tiles(params));

for (auto& tile: m_offsets) {
tile.offset = TILD_OFFSET_NOT_LOADED;
}

return Error::Ok;
}


Expand Down Expand Up @@ -439,7 +447,6 @@ heif_compression_format ImageItem_Tild::get_compression_format() const

Error ImageItem_Tild::on_load_file()
{
Error err;
auto heif_file = get_context()->get_heif_file();

auto tilC_box = heif_file->get_property<Box_tilC>(get_id());
Expand All @@ -466,7 +473,9 @@ Error ImageItem_Tild::on_load_file()
"'tild' image with zero width or height."};
}

m_tild_header.set_parameters(parameters);
if (Error err = m_tild_header.set_parameters(parameters)) {
return err;
}

m_tile_decoder = Decoder::alloc_for_infe_type(get_context(), get_id(), parameters.compression_type_fourcc);
if (!m_tile_decoder) {
Expand All @@ -476,8 +485,7 @@ Error ImageItem_Tild::on_load_file()
}

if (m_preload_offset_table) {
err = m_tild_header.read_full_offset_table(heif_file, get_id());
if (err) {
if (Error err = m_tild_header.read_full_offset_table(heif_file, get_id())) {
return err;
}
}
Expand All @@ -489,6 +497,13 @@ Error ImageItem_Tild::on_load_file()
Result<std::shared_ptr<ImageItem_Tild>>
ImageItem_Tild::add_new_tild_item(HeifContext* ctx, const heif_tild_image_parameters* parameters)
{
if (number_of_tiles(*parameters) > MAX_TILD_TILES) {
return Error{heif_error_Usage_error,
heif_suberror_Security_limit_exceeded,
"Number of tiles exceeds security limit."};
}


// Create 'tild' Item

auto file = ctx->get_heif_file();
Expand Down
2 changes: 1 addition & 1 deletion libheif/image-items/tild.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ class Box_tilC : public FullBox
class TildHeader
{
public:
void set_parameters(const heif_tild_image_parameters& params);
Error set_parameters(const heif_tild_image_parameters& params);

const heif_tild_image_parameters& get_parameters() const { return m_parameters; }

Expand Down

0 comments on commit 6d5888c

Please sign in to comment.