harden untrusted-input size handling in TIFF read and raw-TCP frames

Two memory-safety/robustness fixes for input whose size is attacker- or
peer-controlled:

- ReadTIFF: a large IMAGELENGTH could overflow scanline_bytes * lines,
  undersizing the buffer that TIFFReadScanline then writes past. Guard the
  product against overflow before resize and reuse scanline_bytes in the loop.

- Raw-TCP image path: an uncapped header payload_size drove a huge resize()
  that took down the receive thread (wedging the writer-facing acceptor).
  Add JFJOCH_TCP_MAX_PAYLOAD_SIZE and reject oversized frames at the single
  receive-loop choke point on both the pusher and puller sides.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-07-11 11:34:11 +02:00
co-authored by Claude Opus 4.8
parent acd2025676
commit 4b72a89249
4 changed files with 28 additions and 3 deletions
+6
View File
@@ -432,6 +432,12 @@ void TCPStreamPusher::PersistentAckThread(Connection* c) {
break;
}
if (h.payload_size > JFJOCH_TCP_MAX_PAYLOAD_SIZE) {
c->broken = true;
logger.Error("Oversized payload on persistent connection, socket " + std::to_string(c->socket_number));
break;
}
// Any well-formed frame from the peer is a sign of life.
c->last_peer_activity_ns.store(SteadyNowNs(), std::memory_order_relaxed);