Skip to content

heifload: ensure unlimited flag removes all security limits where possible #4398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 25, 2025
Merged

heifload: ensure unlimited flag removes all security limits where possible #4398

merged 2 commits into from
Feb 25, 2025

Conversation

lovell
Copy link
Member

@lovell lovell commented Feb 20, 2025

libheif v1.19.0 added new heif_get_disabled_security_limits API to remove all security limits.

I discovered this whilst investigating lovell/sharp#4335 and removing all limits appears to provide a solution to it.

@lovell lovell mentioned this pull request Feb 20, 2025
Open
5 tasks
@kleisauke
Copy link
Member

I think this is still problematic to do, see: #4266 (comment).

@kleisauke
Copy link
Member

kleisauke commented Feb 20, 2025
edited
Loading

... it would probably(?) be fine if you relocate this block above the heif_context_set_maximum_image_size_limit() call, that way the maximum image size of 16384 65535^2 is still respected (and we hopefully won't segv).

@lovell
Copy link
Member Author

lovell commented Feb 21, 2025

Ah, I thought this change felt familiar, I'd forgotten about your previous attempt. I think I'll try to re-work this to only remove the memory allocation limit when unlimited is set (rather than remove all security limits).

@kleisauke
Copy link
Member

PR #4399 should address that issue, so it's no longer a concern.

kleisauke
kleisauke approved these changes Feb 21, 2025
View reviewed changes
Copy link
Member

@kleisauke kleisauke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once PR #4399 lands.

@lovell @kleisauke
Update libvips/foreign/heifload.c
e45a6e2 
Co-authored-by: Kleis Auke Wolthuizen <github@kleisauke.nl>
@lovell lovell merged commit df54c2b into libvips:master Feb 25, 2025
6 checks passed
@lovell lovell deleted the heifload-unlimited-all-the-things branch February 25, 2025 19:27
@Iaotle Iaotle mentioned this pull request Mar 2, 2025
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kleisauke kleisauke kleisauke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lovell @kleisauke