diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-05-31 09:45:25 +0200 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-05-31 09:45:25 +0200 |
| commit | 2d4ff8df91414b42974c72b2870f5c6e9ad397a8 (patch) | |
| tree | 15b23dc6494a147e723cfdb3765be1568cf6c113 /image | |
| parent | f4b8be889cb7ee31a62af5660f36aaa192599009 (diff) | |
| parent | 14eb8dc7bee8670e39d1199591d335579601f2ad (diff) | |
| download | UXP-2d4ff8df91414b42974c72b2870f5c6e9ad397a8.tar UXP-2d4ff8df91414b42974c72b2870f5c6e9ad397a8.tar.gz UXP-2d4ff8df91414b42974c72b2870f5c6e9ad397a8.tar.lz UXP-2d4ff8df91414b42974c72b2870f5c6e9ad397a8.tar.xz UXP-2d4ff8df91414b42974c72b2870f5c6e9ad397a8.zip | |
Merge branch 'master' into Basilisk-release
Diffstat (limited to 'image')
| -rw-r--r-- | image/decoders/nsPNGDecoder.cpp | 18 | ||||
| -rw-r--r-- | image/imgLoader.cpp | 13 |
2 files changed, 15 insertions, 16 deletions
diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp index 0f385b339..9596ae7d6 100644 --- a/image/decoders/nsPNGDecoder.cpp +++ b/image/decoders/nsPNGDecoder.cpp @@ -34,13 +34,18 @@ namespace image { static LazyLogModule sPNGLog("PNGDecoder"); static LazyLogModule sPNGDecoderAccountingLog("PNGDecoderAccounting"); -// limit image dimensions (bug #251381, #591822, #967656, and #1283961) +// Limit image dimensions. #ifndef MOZ_PNG_MAX_WIDTH -# define MOZ_PNG_MAX_WIDTH 0x7fffffff // Unlimited +# define MOZ_PNG_MAX_WIDTH 65535 #endif #ifndef MOZ_PNG_MAX_HEIGHT -# define MOZ_PNG_MAX_HEIGHT 0x7fffffff // Unlimited +# define MOZ_PNG_MAX_HEIGHT 65535 #endif +// Maximum area supported in pixels (W*H) +#ifndef MOZ_PNG_MAX_PIX +# define MOZ_PNG_MAX_PIX 268435456 // 256 Mpix = 16Ki x 16Ki +#endif + nsPNGDecoder::AnimFrameInfo::AnimFrameInfo() : mDispose(DisposalMethod::KEEP) @@ -568,6 +573,13 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr) png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, &compression_type, &filter_type); + // Check sizes against cap limits and W*H + if ((width > MOZ_PNG_MAX_WIDTH) || + (height > MOZ_PNG_MAX_HEIGHT) || + (width * height > MOZ_PNG_MAX_PIX)) { + png_error(decoder->mPNG, "Image too large"); + } + const IntRect frameRect(0, 0, width, height); // Post our size to the superclass diff --git a/image/imgLoader.cpp b/image/imgLoader.cpp index 5e5ee7829..f7fb657bd 100644 --- a/image/imgLoader.cpp +++ b/image/imgLoader.cpp @@ -607,19 +607,6 @@ ShouldLoadCachedImage(imgRequest* aImgRequest, } } - bool sendPriming = false; - bool mixedContentWouldBlock = false; - rv = nsMixedContentBlocker::GetHSTSPrimingFromRequestingContext(contentLocation, - aLoadingContext, &sendPriming, &mixedContentWouldBlock); - if (NS_FAILED(rv)) { - return false; - } - if (sendPriming && mixedContentWouldBlock) { - // if either of the securty checks above would cause a priming request, we - // can't load this image from the cache, so go ahead and return false here - return false; - } - return true; } |