-
-
Notifications
You must be signed in to change notification settings - Fork 842
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add missing decoder sanitation checks #2077
Conversation
bytesRead = this.currentStream.Read(exifData, 0, (int)exifChunkSize); | ||
if (bytesRead != exifChunkSize) | ||
{ | ||
WebpThrowHelper.ThrowInvalidImageContentException("Not enough data to read the exif chunk"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there rules in WebP about where a these chunks should be. I.E are they always before the image data?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ICCP and ANIM chunks should always come before the image data, EXIF and XMP chunks should come after the image data.
https://developers.google.com/speed/webp/docs/riff_container#extended_file_format
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since EXIF and XMP chunks come after, I don't think we should throw for them and skip instead. I would consider those non-critical.
I would suggest another sanitation check for jpeg decoder in general. Each marker has specific predefined size which we already have in each marker parser as a parameter - I can't contribute to this branch directly so I can make this as a separate PR. |
I would agree. If you have the time to do that'd very much appreciate it. |
Sorry for late response, been studying scaled IDCT for other PR. Will try to do a PR for jpeg markers on this week. |
I looks increasingly unlikely that we'll get any test images for this but I think we should still push on with the sanitation code. |
Actually there's kind of a problem in current jpeg decoder. It shouldn't be a cause of mentioned issue but it's still a bug Current decoding pipeline:
Any exceptions between step 1 and 3 would cause allocated pixel buffer to be gc'd leading to a false positive memory leak reported by memory diagnostics. Any invalid marker between scans can cause this, it shouldn't crash the entire process or even lead to an actual memory leak but it's still a thing. I'll create a separate issue this week, posting this here just to let you know. |
Extra jpeg sanity checks implemented at #2084. |
if (bytesRead != 2) | ||
{ | ||
JpegThrowHelper.ThrowInvalidImageContentException("Not enough data to read the SOI marker"); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can remove this and similar checks from other marker parsing methods as it's now guaranteed that stream has at least remaining
bytes available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah... That method is actually called from TIFF only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But we still can transform 2 read checks to 1 AvailableBytes
check :)
I can't comment on non diff lines but that method creates stream:
using var ms = new MemoryStream(tableBytes);
and then do 2 reads of 2 bytes with sequential if checks.
We can do this check:
if(tableBytes.Length < 4) throw ...
before even creating a stream and remove 2 checks after reads as those would always be true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool. Will have a look.
Sorry, I forgot to alter TIFF jpeg loading method here: ImageSharp/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs Lines 257 to 264 in c5f14f7
It should be this: int markerContentByteSize = this.ReadUint16(stream) - 2;
// Check whether stream actually has enought bytes to read
// markerContentByteSize is always positive so we cast
// to uint to avoid sign extension
if (stream.RemainingBytes < (uint)markerContentByteSize)
{
JpegThrowHelper.ThrowNotEnoughBytesForMarker(fileMarker.Marker);
}
swtich(fileMarker.Marker)
{
// ...
} |
Peeps I'm gonna merge this. I want a build that can be tested in #2075 and it's blocking all other progress. |
Prerequisites
Description
A PR to add additional sanitation checks with a view to fix #2075
Any additional sanitation fixes added to other open branches should be added here.