limit maximum colr box size

GerHobbelt · Oct 30, 2023 · 30d9ead · 30d9ead
1 parent 7cd873f
commit 30d9ead
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/libheif/nclx.cc b/libheif/nclx.cc
@@ -20,6 +20,7 @@
 
 
 #include "nclx.h"
+#include "security_limits.h"
 
 #include <cassert>
 #include <limits>
@@ -373,8 +374,12 @@ Error Box_colr::parse(BitstreamRange& range)
   }
   else if (colour_type == fourcc("prof") ||
            colour_type == fourcc("rICC")) {
+    if (!has_fixed_box_size()) {
+      return Error(heif_error_Unsupported_feature, heif_suberror_Unspecified, "colr boxes with undefined box size are not supported");
+    }
+
     uint64_t profile_size_64 = get_box_size() - get_header_size() - 4;
-    if (profile_size_64 > std::numeric_limits<size_t>::max()) {
+    if (profile_size_64 > MAX_COLOR_PROFILE_SIZE) {
       return Error(heif_error_Invalid_input, heif_suberror_Security_limit_exceeded, "Color profile exceeds maximum supported size");
     }
 

diff --git a/libheif/security_limits.h b/libheif/security_limits.h
@@ -27,6 +27,7 @@ static const size_t MAX_CHILDREN_PER_BOX = 20000;
 static const int MAX_ILOC_ITEMS = 20000;
 static const int MAX_ILOC_EXTENTS_PER_ITEM = 32;
 static const int MAX_MEMORY_BLOCK_SIZE = 512 * 1024 * 1024; // 512 MB
+static const int MAX_COLOR_PROFILE_SIZE = 100 * 1024 * 1024; // 100 MB
 
 // Artificial limit to avoid allocating too much memory.
 // 32768^2 = 1.5 GB as YUV-4:2:0 or 4 GB as RGB32