fix: limit WebP decode buffer size to prevent malicious allocations

2026-06-09 15:48:34 +08:00 · 2026-06-09 15:48:34 +08:00 · db3379364f
commit db3379364f
parent 7c6bab8019
2 changed files with 11 additions and 0 deletions
--- a/src/api/image.rs
+++ b/src/api/image.rs
@ -15,6 +15,8 @@ use std::sync::LazyLock;
 const MAX_IMAGE_DIMENSION: u32 = 4096;
 #[cfg(feature = "server")]
 const DEFAULT_JPEG_QUALITY: u8 = 85;
+#[cfg(feature = "server")]
+pub const MAX_IMAGE_PIXELS: u32 = 100_000_000; // ~10k x 10k

 #[cfg(feature = "server")]
 #[derive(Debug, Clone)]
--- a/src/webp.rs
+++ b/src/webp.rs
@ -86,6 +86,15 @@ pub fn decode(data: &[u8]) -> Result<image::DynamicImage, WebpError> {
    let height = info.height;
    let has_alpha = info.has_alpha;

+    let pixel_count = (width as u64) * (height as u64);
+
+    if pixel_count > crate::api::image::MAX_IMAGE_PIXELS as u64 {
+        return Err(WebpError::Decode(format!(
+            "Image dimensions {}x{} exceed maximum allowed pixels",
+            width, height
+        )));
+    }
+
    let buf_size = decoder
        .output_buffer_size()
        .ok_or_else(|| WebpError::Decode("Image too large".to_string()))?;