stop JPEG load after 20 warnings

jcupitt · jcupitt · commit 89bd46d1c4e0 · 2022-04-03T19:21:06.000+01:00
mitigates some DoS attacks somewhat see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24383
diff --git a/libvips/foreign/jpeg2vips.c b/libvips/foreign/jpeg2vips.c
@@ -488,6 +488,12 @@ read_jpeg_header( ReadJpeg *jpeg, VipsImage *out )
 	size_t data_length;
 	int i;
 
+	/* Trace level 3 means emit warning messages as they happen. This
+	 * lets us spot files with crazy numbers of warnings early and
+	 * prevents some DoS attacks.
+	 */
+	jpeg->eman.pub.trace_level = 3;
+
 	/* Read JPEG header. libjpeg will set out_color_space sanely for us 
 	 * for YUV YCCK etc.
 	 */
diff --git a/libvips/foreign/vips2jpeg.c b/libvips/foreign/vips2jpeg.c
@@ -165,20 +165,34 @@
 void
 vips__new_output_message( j_common_ptr cinfo )
 {
-	char buffer[JMSG_LENGTH_MAX];
+	/* Some DoS attacks use jpg files with thousands of warnings. Try to
+	 * limit the effect these have.
+	 */
+	if( cinfo->err->num_warnings >= 20 ) {
+		if( cinfo->err->num_warnings == 20 ) {
+			vips_error( "VipsJpeg", 
+				"%s", _( "too many warnings" ) );
+		}
+
+		jpeg_abort( cinfo );
+	}
+	else {
+		char buffer[JMSG_LENGTH_MAX];
 
-	(*cinfo->err->format_message)( cinfo, buffer );
-	vips_error( "VipsJpeg", _( "%s" ), buffer );
+		(*cinfo->err->format_message)( cinfo, buffer );
+		vips_error( "VipsJpeg", _( "%s" ), buffer );
 
 #ifdef DEBUG
-	printf( "vips__new_output_message: \"%s\"\n", buffer );
+		printf( "vips__new_output_message: \"%s\"\n", buffer );
 #endif /*DEBUG*/
 
-	/* This is run for things like file truncated. Signal invalidate to
-	 * force this op out of cache. 
-	 */
-        if( cinfo->client_data )
-		vips_foreign_load_invalidate( VIPS_IMAGE( cinfo->client_data ) );
+		/* This is run for things like file truncated. Signal 
+		 * invalidate to force this op out of cache. 
+		 */
+		if( cinfo->client_data )
+			vips_foreign_load_invalidate( 
+				VIPS_IMAGE( cinfo->client_data ) );
+	}
 }
 
 /* New error_exit handler.
