validate poppler page size (#4620)

jcupitt · web-flow · commit a58bfae9223a · 2025-08-16T20:14:27.000+01:00
* validate poppler page size

Poppler can return pages less than 1 pixel wide or high. Check for this
and flag an error.

Thanks Yang Luo, Riema Labs

* validate page size in svgload too

* add image sanity tests

* make vips_object_sanity() log an error
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 8.17.2
 
 - rank: fix an off-by-one error [larsmaxfield]
+- popplerload, svgload: validate page size [Yang Luo]
 - pdfiumload: allow both dpi and scale to be set [kleisauke]
 
 7/7/25 8.17.1
diff --git a/libvips/foreign/foreign.c b/libvips/foreign/foreign.c
@@ -1040,6 +1040,7 @@ vips_foreign_load_start(VipsImage *out, void *a, void *b)
 		 * If the load fails, we need to stop.
 		 */
 		if (class->load(load) ||
+			!vips_object_sanity(VIPS_OBJECT(load->real)) ||
 			vips_image_pio_input(load->real) ||
 			!vips_foreign_load_iscompat(load->real, out)) {
 			vips_operation_invalidate(VIPS_OPERATION(load));
@@ -1133,18 +1134,19 @@ vips_foreign_load_build(VipsObject *object)
 
 	g_object_set(object, "out", vips_image_new(), NULL);
 
-	vips_image_set_string(load->out,
-		VIPS_META_LOADER, class->nickname);
+	vips_image_set_string(load->out, VIPS_META_LOADER, class->nickname);
 
 #ifdef DEBUG
 	printf("vips_foreign_load_build: triggering ->header\n");
 #endif /*DEBUG*/
 
 	/* Read the header into @out.
 	 */
-	if (fclass->header &&
-		fclass->header(load))
-		return -1;
+	if (fclass->header) {
+		if (fclass->header(load) ||
+			!vips_object_sanity(VIPS_OBJECT(load->out)))
+			return -1;
+	}
 
 	/* If there's no ->load() method then the header read has done
 	 * everything. Otherwise, it's just set fields and we must also
diff --git a/libvips/foreign/popplerload.c b/libvips/foreign/popplerload.c
@@ -312,7 +312,6 @@ vips_foreign_load_pdf_header(VipsForeignLoad *load)
 	VipsForeignLoadPdf *pdf = VIPS_FOREIGN_LOAD_PDF(load);
 
 	int top;
-	int i;
 
 #ifdef DEBUG
 	printf("vips_foreign_load_pdf_header: %p\n", pdf);
@@ -342,21 +341,28 @@ vips_foreign_load_pdf_header(VipsForeignLoad *load)
 	pdf->image.top = 0;
 	pdf->image.width = 0;
 	pdf->image.height = 0;
-	for (i = 0; i < pdf->n; i++) {
+	for (int i = 0; i < pdf->n; i++) {
 		double width;
 		double height;
 
 		if (vips_foreign_load_pdf_get_page(pdf, pdf->page_no + i))
 			return -1;
+
 		poppler_page_get_size(pdf->page, &width, &height);
 		pdf->pages[i].left = 0;
 		pdf->pages[i].top = top;
+
 		/* We do round to nearest, in the same way that vips_resize()
 		 * does round to nearest. Without this, things like
 		 * shrink-on-load will break.
 		 */
 		pdf->pages[i].width = rint(width * pdf->total_scale);
 		pdf->pages[i].height = rint(height * pdf->total_scale);
+		if (pdf->pages[i].width <= 0 ||
+			pdf->pages[i].height <= 0) {
+			vips_error(class->nickname, "%s", _("zero-sized image"));
+			return -1;
+		}
 
 		if (pdf->pages[i].width > pdf->image.width)
 			pdf->image.width = pdf->pages[i].width;
@@ -368,7 +374,7 @@ vips_foreign_load_pdf_header(VipsForeignLoad *load)
 	/* If all pages are the same height, we can tag this as a toilet roll
 	 * image.
 	 */
-	for (i = 1; i < pdf->n; i++)
+	for (int i = 1; i < pdf->n; i++)
 		if (pdf->pages[i].height != pdf->pages[0].height)
 			break;
 
diff --git a/libvips/foreign/svgload.c b/libvips/foreign/svgload.c
@@ -568,12 +568,19 @@ vips_foreign_load_svg_get_scaled_size(VipsForeignLoadSvg *svg,
 static int
 vips_foreign_load_svg_parse(VipsForeignLoadSvg *svg, VipsImage *out)
 {
+	VipsObjectClass *class = VIPS_OBJECT_GET_CLASS(svg);
+
 	int width;
 	int height;
 	double res;
 
 	if (vips_foreign_load_svg_get_scaled_size(svg, &width, &height))
 		return -1;
+	if (width <= 0 ||
+		height <= 0) {
+		vips_error(class->nickname, "%s", _("zero-sized image"));
+		return -1;
+	}
 
 	/* We need pixels/mm for vips.
 	 */
@@ -583,7 +590,8 @@ vips_foreign_load_svg_parse(VipsForeignLoadSvg *svg, VipsImage *out)
 		width, height, 4,
 		svg->high_bitdepth ? VIPS_FORMAT_FLOAT : VIPS_FORMAT_UCHAR,
 		VIPS_CODING_NONE,
-		svg->high_bitdepth ? VIPS_INTERPRETATION_scRGB : VIPS_INTERPRETATION_sRGB,
+		svg->high_bitdepth ?
+			VIPS_INTERPRETATION_scRGB : VIPS_INTERPRETATION_sRGB,
 		res, res);
 
 	/* We use a tilecache, so it's smalltile.
diff --git a/libvips/iofuncs/generate.c b/libvips/iofuncs/generate.c
@@ -297,8 +297,8 @@ vips__demand_hint_array(VipsImage *image,
 	 */
 	set_hint = hint;
 	for (i = 0; i < len; i++)
-		set_hint = (VipsDemandStyle) VIPS_MIN(
-			(int) set_hint, (int) in[i]->dhint);
+		set_hint = (VipsDemandStyle)
+			VIPS_MIN((int) set_hint, (int) in[i]->dhint);
 
 	image->dhint = set_hint;
 
@@ -365,6 +365,9 @@ int
 vips_image_pipeline_array(VipsImage *image,
 	VipsDemandStyle hint, VipsImage **in)
 {
+	if (!vips_object_sanity(VIPS_OBJECT(image)))
+		return -1;
+
 	/* This function can be called more than once per output image. For
 	 * example, jpeg header load will call this once on ->out to set the
 	 * default hint, then later call it again to connect the output image
@@ -688,11 +691,12 @@ vips_image_generate(VipsImage *image,
 	VIPS_DEBUG_MSG("vips_image_generate: %p\n", image);
 
 	g_assert(generate_fn);
-	g_assert(vips_object_sanity(VIPS_OBJECT(image)));
+
+	if (!vips_object_sanity(VIPS_OBJECT(image)))
+		return -1;
 
 	if (!image->hint_set) {
-		vips_error("vips_image_generate",
-			"%s", _("demand hint not set"));
+		vips_error("vips_image_generate", "%s", _("demand hint not set"));
 		return -1;
 	}
 
diff --git a/libvips/iofuncs/image.c b/libvips/iofuncs/image.c
@@ -615,8 +615,7 @@ vips_image_summary(VipsObject *object, VipsBuf *buf)
 	if (vips_image_get_coding(image) == VIPS_CODING_NONE) {
 		vips_buf_appendf(buf,
 			g_dngettext(GETTEXT_PACKAGE,
-				" %s, %d band, %s",
-				" %s, %d bands, %s",
+				" %s, %d band, %s", " %s, %d bands, %s",
 				vips_image_get_bands(image)),
 			vips_enum_nick(VIPS_TYPE_BAND_FORMAT, vips_image_get_format(image)),
 			vips_image_get_bands(image),
@@ -625,8 +624,7 @@ vips_image_summary(VipsObject *object, VipsBuf *buf)
 	}
 	else {
 		vips_buf_appendf(buf, ", %s",
-			vips_enum_nick(VIPS_TYPE_CODING,
-				vips_image_get_coding(image)));
+			vips_enum_nick(VIPS_TYPE_CODING, vips_image_get_coding(image)));
 	}
 
 	if (vips_image_get_typeof(image, VIPS_META_LOADER) &&
@@ -657,42 +655,40 @@ vips_image_sanity(VipsObject *object, VipsBuf *buf)
 {
 	VipsImage *image = VIPS_IMAGE(object);
 
-	/* All 0 means im has been inited but never used.
-	 */
-	if (image->Xsize != 0 ||
-		image->Ysize != 0 ||
-		image->Bands != 0) {
-		if (image->Xsize <= 0 ||
-			image->Ysize <= 0 ||
-			image->Bands <= 0)
-			vips_buf_appends(buf, "bad dimensions\n");
-		if (image->BandFmt < -1 ||
-			image->BandFmt > VIPS_FORMAT_DPCOMPLEX ||
-			(image->Coding != -1 &&
-				image->Coding != VIPS_CODING_NONE &&
-				image->Coding != VIPS_CODING_LABQ &&
-				image->Coding != VIPS_CODING_RAD) ||
-			image->Type >= VIPS_INTERPRETATION_LAST ||
-			image->dtype > VIPS_IMAGE_PARTIAL ||
-			image->dhint > VIPS_DEMAND_STYLE_ANY)
-			vips_buf_appends(buf, "bad enum\n");
-		if (image->Xres < 0 ||
-			image->Yres < 0)
-			vips_buf_appends(buf, "bad resolution\n");
-	}
-
-	/* Must lock around inter-image links.
+	if (image->Xsize <= 0 ||
+		image->Ysize <= 0 ||
+		image->Bands <= 0)
+		vips_buf_appends(buf, "bad dimensions\n");
+	if (image->BandFmt < -1 ||
+		image->BandFmt > VIPS_FORMAT_DPCOMPLEX ||
+		(image->Coding != -1 &&
+			image->Coding != VIPS_CODING_NONE &&
+			image->Coding != VIPS_CODING_LABQ &&
+			image->Coding != VIPS_CODING_RAD) ||
+		image->Type >= VIPS_INTERPRETATION_LAST ||
+		image->dtype > VIPS_IMAGE_PARTIAL ||
+		image->dhint > VIPS_DEMAND_STYLE_ANY)
+		vips_buf_appends(buf, "bad enum\n");
+	if (image->Xres < 0 ||
+		image->Yres < 0)
+		vips_buf_appends(buf, "bad resolution\n");
+
+	/* These checks are expensive -- only do in leakcheck mode.
 	 */
-	g_mutex_lock(&vips__global_lock);
+	if (vips__leak) {
+		/* Must lock around inter-image links.
+		 */
+		g_mutex_lock(&vips__global_lock);
 
-	if (vips_slist_map2(image->upstream,
-			(VipsSListMap2Fn) vips_image_sanity_upstream, image, NULL))
-		vips_buf_appends(buf, "upstream broken\n");
-	if (vips_slist_map2(image->downstream,
-			(VipsSListMap2Fn) vips_image_sanity_downstream, image, NULL))
-		vips_buf_appends(buf, "downstream broken\n");
+		if (vips_slist_map2(image->upstream,
+				(VipsSListMap2Fn) vips_image_sanity_upstream, image, NULL))
+			vips_buf_appends(buf, "upstream broken\n");
+		if (vips_slist_map2(image->downstream,
+				(VipsSListMap2Fn) vips_image_sanity_downstream, image, NULL))
+			vips_buf_appends(buf, "downstream broken\n");
 
-	g_mutex_unlock(&vips__global_lock);
+		g_mutex_unlock(&vips__global_lock);
+	}
 
 	VIPS_OBJECT_CLASS(vips_image_parent_class)->sanity(object, buf);
 }
@@ -3148,7 +3144,8 @@ vips_image_hasalpha(VipsImage *image)
 int
 vips_image_write_prepare(VipsImage *image)
 {
-	g_assert(vips_object_sanity(VIPS_OBJECT(image)));
+	if (!vips_object_sanity(VIPS_OBJECT(image)))
+		return -1;
 
 	if (image->Xsize <= 0 ||
 		image->Ysize <= 0 ||
@@ -3416,7 +3413,8 @@ vips_image_wio_input(VipsImage *image)
 {
 	VipsImage *t1;
 
-	g_assert(vips_object_sanity(VIPS_OBJECT(image)));
+	if (!vips_object_sanity(VIPS_OBJECT(image)))
+		return -1;
 
 #ifdef DEBUG_IO
 	printf("vips_image_wio_input: wio input for %s\n",
@@ -3644,7 +3642,8 @@ vips_image_inplace(VipsImage *image)
 int
 vips_image_pio_input(VipsImage *image)
 {
-	g_assert(vips_object_sanity(VIPS_OBJECT(image)));
+	if (!vips_object_sanity(VIPS_OBJECT(image)))
+		return -1;
 
 #ifdef DEBUG_IO
 	printf("vips_image_pio_input: enabling partial input for %s\n",
diff --git a/libvips/iofuncs/object.c b/libvips/iofuncs/object.c
@@ -470,23 +470,18 @@ vips_object_print_name(VipsObject *object)
 gboolean
 vips_object_sanity(VipsObject *object)
 {
-	VipsObjectClass *class;
-	char str[1000];
-	VipsBuf buf = VIPS_BUF_STATIC(str);
-
 	if (!object) {
-		printf("vips_object_sanity: null object\n");
-
+		vips_error("vips_object_sanity", _("null object"));
 		return FALSE;
 	}
 
-	class = VIPS_OBJECT_GET_CLASS(object);
+	VipsObjectClass *class = VIPS_OBJECT_GET_CLASS(object);
+
+	char str[1000];
+	VipsBuf buf = VIPS_BUF_STATIC(str);
 	class->sanity(object, &buf);
 	if (!vips_buf_is_empty(&buf)) {
-		printf("sanity failure: ");
-		vips_object_print_name(object);
-		printf(" %s\n", vips_buf_all(&buf));
-
+		vips_error(class->nickname, "%s", vips_buf_all(&buf));
 		return FALSE;
 	}
 
diff --git a/libvips/iofuncs/sink.c b/libvips/iofuncs/sink.c
@@ -474,7 +474,8 @@ vips_sink_tile(VipsImage *im,
 	Sink sink;
 	int result;
 
-	g_assert(vips_object_sanity(VIPS_OBJECT(im)));
+	if (!vips_object_sanity(VIPS_OBJECT(im)))
+		return -1;
 
 	/* We don't use this, but make sure it's set in case any old binaries
 	 * are expecting it.
