uncompressed: add sanity limit check on number of tile rows and cols

bradh · bradh · commit 74edf934e9c0 · 2024-06-28T22:22:46.000+10:00
diff --git a/libheif/codecs/uncompressed_box.cc b/libheif/codecs/uncompressed_box.cc
@@ -27,6 +27,7 @@
 #include <cassert>
 
 #include "libheif/heif.h"
+#include "security_limits.h"
 #include "uncompressed.h"
 #include "uncompressed_box.h"
 
@@ -260,9 +261,19 @@ Error Box_uncC::parse(BitstreamRange& range)
 
     m_tile_align_size = range.read32();
 
-    m_num_tile_cols = range.read32() + 1;
+    uint32_t num_tile_cols_minus_one = range.read32();
+    uint32_t num_tile_rows_minus_one = range.read32();
+    if ((num_tile_cols_minus_one >= MAX_TILE_GRID_ROW_OR_COLUMN) || (num_tile_rows_minus_one >= MAX_TILE_GRID_ROW_OR_COLUMN)) {
+      std::stringstream sstr;
+      sstr << "Tiling size " << (num_tile_cols_minus_one + 1) << " x " << (num_tile_rows_minus_one + 1) << " exceeds the maximum allowed size "
+           << MAX_TILE_GRID_ROW_OR_COLUMN << " x " << MAX_TILE_GRID_ROW_OR_COLUMN;
+      return Error(heif_error_Memory_allocation_error,
+                   heif_suberror_Security_limit_exceeded,
+                   sstr.str());
+    }
+    m_num_tile_cols = num_tile_cols_minus_one + 1;
 
-    m_num_tile_rows = range.read32() + 1;
+    m_num_tile_rows = num_tile_rows_minus_one + 1;
   }
   return range.get_error();
 }
diff --git a/libheif/security_limits.h b/libheif/security_limits.h
@@ -34,6 +34,10 @@ static const int MAX_COLOR_PROFILE_SIZE = 100 * 1024 * 1024; // 100 MB
 static const int MAX_IMAGE_WIDTH = 32768;
 static const int MAX_IMAGE_HEIGHT = 32768;
 
+// Artificial limit on how many tiles or grid items (TODO) in either
+// row direction or column direction
+static const int MAX_TILE_GRID_ROW_OR_COLUMN = 32768;
+
 // Maximum nesting level of boxes in input files.
 // We put a limit on this to avoid unlimited stack usage by malicious input files.
 static const int MAX_BOX_NESTING_LEVEL = 20;
diff --git a/tests/uncompressed_box.cc b/tests/uncompressed_box.cc
@@ -216,3 +216,139 @@ TEST_CASE( "uncC" )
     std::string dump_output = uncC->dump(indent);
     REQUIRE(dump_output == "Box: uncC -----\nsize: 0   (header size: 0)\nprofile: 1919378017 (rgba)\ncomponent_index: 0\ncomponent_bit_depth: 8\ncomponent_format: unsigned\ncomponent_align_size: 0\ncomponent_index: 1\ncomponent_bit_depth: 8\ncomponent_format: unsigned\ncomponent_align_size: 0\ncomponent_index: 2\ncomponent_bit_depth: 8\ncomponent_format: unsigned\ncomponent_align_size: 0\ncomponent_index: 3\ncomponent_bit_depth: 8\ncomponent_format: unsigned\ncomponent_align_size: 0\nsampling_type: no subsampling\ninterleave_type: pixel\nblock_size: 0\ncomponents_little_endian: 0\nblock_pad_lsb: 0\nblock_little_endian: 0\nblock_reversed: 0\npad_unknown: 0\npixel_size: 0\nrow_align_size: 0\ntile_align_size: 0\nnum_tile_cols: 1\nnum_tile_rows: 1\n");
 }
+
+TEST_CASE("uncC_parse") {
+  std::vector<uint8_t> byteArray{
+    0x00, 0x00, 0x00, 0x40, 'u', 'n', 'c', 'C',
+    0x00, 0x00, 0x00, 0x00, 'r', 'g', 'b', 'a',
+    0x00, 0x00, 0x00, 0x04, 0, 0, 7, 0x00,
+    0x00, 0x00, 0x01, 0x07, 0x00, 0x00, 0x00, 0x02,
+    0x07, 0x00, 0x00, 0x00, 0x03, 0x07, 0x00, 0x00,
+    0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02
+    };
+
+  auto reader = std::make_shared<StreamReader_memory>(byteArray.data(),
+                                                      byteArray.size(), false);
+
+  BitstreamRange range(reader, byteArray.size());
+  std::shared_ptr<Box> box;
+  Error error = Box::read(range, &box);
+  REQUIRE(error == Error::Ok);
+  REQUIRE(range.error() == 0);
+
+  REQUIRE(box->get_short_type() == fourcc("uncC"));
+  REQUIRE(box->get_type_string() == "uncC");
+  std::shared_ptr<Box_uncC> uncC = std::dynamic_pointer_cast<Box_uncC>(box);
+  REQUIRE(uncC->get_number_of_tile_columns() == 2);
+  REQUIRE(uncC->get_number_of_tile_rows() == 3);
+  Indent indent;
+  std::string dumpResult = box->dump(indent);
+  REQUIRE(dumpResult == "Box: uncC -----\n"
+                        "size: 64   (header size: 12)\n"
+                        "profile: 1919378017 (rgba)\n"
+                        "component_index: 0\n"
+                        "component_bit_depth: 8\n"
+                        "component_format: unsigned\n"
+                        "component_align_size: 0\n"
+                        "component_index: 1\n"
+                        "component_bit_depth: 8\n"
+                        "component_format: unsigned\n"
+                        "component_align_size: 0\n"
+                        "component_index: 2\n"
+                        "component_bit_depth: 8\n"
+                        "component_format: unsigned\n"
+                        "component_align_size: 0\n"
+                        "component_index: 3\n"
+                        "component_bit_depth: 8\n"
+                        "component_format: unsigned\n"
+                        "component_align_size: 0\n"
+                        "sampling_type: no subsampling\n"
+                        "interleave_type: pixel\n"
+                        "block_size: 0\n"
+                        "components_little_endian: 0\n"
+                        "block_pad_lsb: 0\n"
+                        "block_little_endian: 0\n"
+                        "block_reversed: 0\n"
+                        "pad_unknown: 0\n"
+                        "pixel_size: 0\n"
+                        "row_align_size: 0\n"
+                        "tile_align_size: 0\n"
+                        "num_tile_cols: 2\n"
+                        "num_tile_rows: 3\n");
+}
+
+TEST_CASE("uncC_parse_no_overflow") {
+  std::vector<uint8_t> byteArray{
+    0x00, 0x00, 0x00, 0x40, 'u', 'n', 'c', 'C',
+    0x00, 0x00, 0x00, 0x00, 'r', 'g', 'b', 'a',
+    0x00, 0x00, 0x00, 0x04, 0, 0, 7, 0x00,
+    0x00, 0x00, 0x01, 0x07, 0x00, 0x00, 0x00, 0x02,
+    0x07, 0x00, 0x00, 0x00, 0x03, 0x07, 0x00, 0x00,
+    0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x7f, 0xff, 0x00, 0x00, 0x7f, 0xff
+    };
+
+  auto reader = std::make_shared<StreamReader_memory>(byteArray.data(),
+                                                      byteArray.size(), false);
+
+  BitstreamRange range(reader, byteArray.size());
+  std::shared_ptr<Box> box;
+  Error error = Box::read(range, &box);
+  REQUIRE(error == Error::Ok);
+  REQUIRE(range.error() == 0);
+
+  REQUIRE(box->get_short_type() == fourcc("uncC"));
+  REQUIRE(box->get_type_string() == "uncC");
+  std::shared_ptr<Box_uncC> uncC = std::dynamic_pointer_cast<Box_uncC>(box);
+  REQUIRE(uncC->get_number_of_tile_columns() == 32768);
+  REQUIRE(uncC->get_number_of_tile_rows() == 32768);
+}
+
+TEST_CASE("uncC_parse_excess_tile_cols") {
+  std::vector<uint8_t> byteArray{
+    0x00, 0x00, 0x00, 0x40, 'u', 'n', 'c', 'C',
+    0x00, 0x00, 0x00, 0x00, 'r', 'g', 'b', 'a',
+    0x00, 0x00, 0x00, 0x04, 0, 0, 7, 0x00,
+    0x00, 0x00, 0x01, 0x07, 0x00, 0x00, 0x00, 0x02,
+    0x07, 0x00, 0x00, 0x00, 0x03, 0x07, 0x00, 0x00,
+    0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x7f, 0xff
+    };
+
+  auto reader = std::make_shared<StreamReader_memory>(byteArray.data(),
+                                                      byteArray.size(), false);
+  BitstreamRange range(reader, byteArray.size());
+  std::shared_ptr<Box> box;
+  Error error = Box::read(range, &box);
+  REQUIRE(range.error() == 0);
+  REQUIRE(error.error_code == 6);
+  REQUIRE(error.sub_error_code == 1000);
+  REQUIRE(error.message == "Tiling size 32769 x 32768 exceeds the maximum allowed size 32768 x 32768");
+}
+
+TEST_CASE("uncC_parse_excess_tile_rows") {
+  std::vector<uint8_t> byteArray{
+    0x00, 0x00, 0x00, 0x40, 'u', 'n', 'c', 'C',
+    0x00, 0x00, 0x00, 0x00, 'r', 'g', 'b', 'a',
+    0x00, 0x00, 0x00, 0x04, 0, 0, 7, 0x00,
+    0x00, 0x00, 0x01, 0x07, 0x00, 0x00, 0x00, 0x02,
+    0x07, 0x00, 0x00, 0x00, 0x03, 0x07, 0x00, 0x00,
+    0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x7f, 0xff, 0x00, 0x00, 0x80, 0x00
+    };
+
+  auto reader = std::make_shared<StreamReader_memory>(byteArray.data(),
+                                                      byteArray.size(), false);
+  BitstreamRange range(reader, byteArray.size());
+  std::shared_ptr<Box> box;
+  Error error = Box::read(range, &box);
+  REQUIRE(range.error() == 0);
+  REQUIRE(error.error_code == 6);
+  REQUIRE(error.sub_error_code == 1000);
+  REQUIRE(error.message == "Tiling size 32768 x 32769 exceeds the maximum allowed size 32768 x 32768");
+}
