harden untrusted-input size handling in TIFF read and raw-TCP frames
Two memory-safety/robustness fixes for input whose size is attacker- or peer-controlled: - ReadTIFF: a large IMAGELENGTH could overflow scanline_bytes * lines, undersizing the buffer that TIFFReadScanline then writes past. Guard the product against overflow before resize and reuse scanline_bytes in the loop. - Raw-TCP image path: an uncapped header payload_size drove a huge resize() that took down the receive thread (wedging the writer-facing acceptor). Add JFJOCH_TCP_MAX_PAYLOAD_SIZE and reject oversized frames at the single receive-loop choke point on both the pusher and puller sides. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -320,6 +320,13 @@ void TCPImagePuller::ReceiverThread() {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (frame.header.payload_size > JFJOCH_TCP_MAX_PAYLOAD_SIZE) {
|
||||
logger.Error("Oversized TCP frame payload, reconnecting to " + addr);
|
||||
CloseSocket();
|
||||
std::this_thread::sleep_for(std::chrono::milliseconds(20));
|
||||
continue;
|
||||
}
|
||||
|
||||
const auto frame_type = static_cast<TCPFrameType>(frame.header.type);
|
||||
|
||||
// Respond to keepalive ping with a keepalive pong
|
||||
|
||||
Reference in New Issue
Block a user