pass security limits down into image allocation and color conversion (#1389)

Author: farindk

fuzzing/color_conversion_fuzzer.cc

@@ -70,7 +70,7 @@ static bool read_plane(BitstreamRange* range,
   if (!range->prepare_read(static_cast<size_t>(width) * height)) {
     return false;
   }
-  if (auto err = image->add_plane2(channel, width, height, bit_depth)) {
+  if (auto err = image->add_plane(channel, width, height, bit_depth, heif_get_disabled_security_limits())) {
     return false;
   }
   uint32_t stride;
@@ -96,7 +96,7 @@ static bool read_plane_interleaved(BitstreamRange* range,
   if (!range->prepare_read(static_cast<size_t>(width) * height * comps)) {
     return false;
   }
-  if (auto err = image->add_plane2(channel, width, height, bit_depth)) {
+  if (auto err = image->add_plane(channel, width, height, bit_depth, heif_get_disabled_security_limits())) {
     return false;
   }
   uint32_t stride;
@@ -255,7 +255,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
                                              static_cast<heif_chroma>(out_chroma),
                                              nullptr,
                                              output_bpp,
-                                             options->color_conversion_options);
+                                             options->color_conversion_options,
+                                             heif_get_disabled_security_limits());
 
   heif_encoding_options_free(options);
 

libheif/api/libheif/heif.cc

@@ -1774,7 +1774,7 @@ heif_error heif_image_crop(struct heif_image* img,
                       "Image size exceeds maximum supported size"};
   }
 
-  auto cropResult = img->image->crop(left, static_cast<int>(w) - 1 - right, top, static_cast<int>(h) - 1 - bottom);
+  auto cropResult = img->image->crop(left, static_cast<int>(w) - 1 - right, top, static_cast<int>(h) - 1 - bottom, nullptr);
   if (cropResult.error) {
     return cropResult.error.error_struct(img->image.get());
   }
@@ -1806,7 +1806,8 @@ int heif_image_has_channel(const struct heif_image* img, enum heif_channel chann
 struct heif_error heif_image_add_plane(struct heif_image* image,
                                        heif_channel channel, int width, int height, int bit_depth)
 {
-  if (auto err = image->image->add_plane2(channel, width, height, bit_depth)) {
+  // Note: no security limit, because this is explicitly requested by the user.
+  if (auto err = image->image->add_plane(channel, width, height, bit_depth, nullptr)) {
     return err.error_struct(image->image.get());
   }
   else {
@@ -1820,7 +1821,7 @@ struct heif_error heif_image_add_channel(struct heif_image* image,
                                          int width, int height,
                                          heif_channel_datatype datatype, int bit_depth)
 {
-  if (!image->image->add_channel(channel, width, height, datatype, bit_depth)) {
+  if (!image->image->add_channel(channel, width, height, datatype, bit_depth, nullptr)) {
     struct heif_error err = {heif_error_Memory_allocation_error,
                              heif_suberror_Unspecified,
                              "Cannot allocate memory for image plane"};
@@ -1994,7 +1995,7 @@ int heif_image_is_premultiplied_alpha(struct heif_image* image)
 
 struct heif_error heif_image_extend_padding_to_size(struct heif_image* image, int min_physical_width, int min_physical_height)
 {
-  Error err = image->image->extend_padding_to_size2(min_physical_width, min_physical_height);
+  Error err = image->image->extend_padding_to_size(min_physical_width, min_physical_height, false, nullptr);
   if (err) {
     return err.error_struct(image->image.get());
   }
@@ -2011,7 +2012,7 @@ struct heif_error heif_image_scale_image(const struct heif_image* input,
 {
   std::shared_ptr<HeifPixelImage> out_img;
 
-  Error err = input->image->scale_nearest_neighbor(out_img, width, height);
+  Error err = input->image->scale_nearest_neighbor(out_img, width, height, nullptr);
   if (err) {
     return err.error_struct(input->image.get());
   }
@@ -2026,7 +2027,7 @@ struct heif_error heif_image_scale_image(const struct heif_image* input,
 struct heif_error heif_image_extend_to_size_fill_with_zero(struct heif_image* image,
                                                            uint32_t width, uint32_t height)
 {
-  Error err = image->image->extend_to_size_with_zero2(width, height);
+  Error err = image->image->extend_to_size_with_zero(width, height, nullptr);
   if (err) {
     return err.error_struct(image->image.get());
   }

libheif/codecs/uncompressed/unc_codec.cc

@@ -441,7 +441,8 @@ static AbstractDecoder* makeDecoder(uint32_t width, uint32_t height, const std::
 Result<std::shared_ptr<HeifPixelImage>> UncompressedImageCodec::create_image(const std::shared_ptr<const Box_cmpd> cmpd,
                                                                              const std::shared_ptr<const Box_uncC> uncC,
                                                                              uint32_t width,
-                                                                             uint32_t height)
+                                                                             uint32_t height,
+                                                                             const heif_security_limits* limits)
 {
   auto img = std::make_shared<HeifPixelImage>();
   heif_chroma chroma = heif_chroma_undefined;
@@ -465,12 +466,13 @@ Result<std::shared_ptr<HeifPixelImage>> UncompressedImageCodec::create_image(con
       }
 
       if ((channel == heif_channel_Cb) || (channel == heif_channel_Cr)) {
-        if (auto err = img->add_plane2(channel, (width / chroma_h_subsampling(chroma)), (height / chroma_v_subsampling(chroma)), component.component_bit_depth)) {
+        if (auto err = img->add_plane(channel, (width / chroma_h_subsampling(chroma)), (height / chroma_v_subsampling(chroma)), component.component_bit_depth,
+                                      limits)) {
           return err;
         }
       }
       else {
-        if (auto err = img->add_plane2(channel, width, height, component.component_bit_depth)) {
+        if (auto err = img->add_plane(channel, width, height, component.component_bit_depth, limits)) {
           return err;
         }
       }
@@ -505,7 +507,7 @@ Error UncompressedImageCodec::decode_uncompressed_image_tile(const HeifContext*
   uint32_t tile_width = ispe->get_width() / uncC->get_number_of_tile_columns();
   uint32_t tile_height = ispe->get_height() / uncC->get_number_of_tile_rows();
 
-  Result<std::shared_ptr<HeifPixelImage>> createImgResult = create_image(cmpd, uncC, tile_width, tile_height);
+  Result<std::shared_ptr<HeifPixelImage>> createImgResult = create_image(cmpd, uncC, tile_width, tile_height, context->get_security_limits());
   if (createImgResult.error) {
     return createImgResult.error;
   }
@@ -629,7 +631,7 @@ Error UncompressedImageCodec::decode_uncompressed_image(const HeifContext* conte
     return error;
   }
 
-  Result<std::shared_ptr<HeifPixelImage>> createImgResult = create_image(cmpd, uncC, width, height);
+  Result<std::shared_ptr<HeifPixelImage>> createImgResult = create_image(cmpd, uncC, width, height, context->get_security_limits());
   if (createImgResult.error) {
     return createImgResult.error;
   }

libheif/codecs/uncompressed/unc_codec.h

@@ -68,7 +68,8 @@ class UncompressedImageCodec
   static Result<std::shared_ptr<HeifPixelImage>> create_image(std::shared_ptr<const Box_cmpd>,
                                                               std::shared_ptr<const Box_uncC>,
                                                               uint32_t width,
-                                                              uint32_t height);
+                                                              uint32_t height,
+                                                              const heif_security_limits* limits);
 
   static Error check_header_validity(std::optional<const std::shared_ptr<const Box_ispe>>,
                                      const std::shared_ptr<const Box_cmpd>&,

libheif/color-conversion/alpha.cc

@@ -56,7 +56,8 @@ Result<std::shared_ptr<HeifPixelImage>>
 Op_drop_alpha_plane::convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                                         const ColorState& input_state,
                                         const ColorState& target_state,
-                                        const heif_color_conversion_options& options) const
+                                        const heif_color_conversion_options& options,
+                                        const heif_security_limits* limits) const
 {
   uint32_t width = input->get_width();
   uint32_t height = input->get_height();
@@ -74,7 +75,7 @@ Op_drop_alpha_plane::convert_colorspace(const std::shared_ptr<const HeifPixelIma
                                heif_channel_G,
                                heif_channel_B}) {
     if (input->has_channel(channel)) {
-      outimg->copy_new_plane_from(input, channel, channel);
+      outimg->copy_new_plane_from(input, channel, channel, limits);
     }
   }
 

libheif/color-conversion/alpha.h

@@ -38,7 +38,8 @@ class Op_drop_alpha_plane : public ColorConversionOperation
   convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                      const ColorState& input_state,
                      const ColorState& target_state,
-                     const heif_color_conversion_options& options) const override;
+                     const heif_color_conversion_options& options,
+                     const heif_security_limits* limits) const override;
 };
 
 #endif //LIBHEIF_COLORCONVERSION_ALPHA_H

libheif/color-conversion/chroma_sampling.cc

@@ -79,7 +79,8 @@ Result<std::shared_ptr<HeifPixelImage>>
 Op_YCbCr444_to_YCbCr420_average<Pixel>::convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                                                            const ColorState& input_state,
                                                            const ColorState& target_state,
-                                                           const heif_color_conversion_options& options) const
+                                                           const heif_color_conversion_options& options,
+                                                           const heif_security_limits* limits) const
 {
   bool hdr = !std::is_same<Pixel, uint8_t>::value;
 
@@ -129,14 +130,14 @@ Op_YCbCr444_to_YCbCr420_average<Pixel>::convert_colorspace(const std::shared_ptr
   uint32_t cwidth = (width + 1) / 2;
   uint32_t cheight = (height + 1) / 2;
 
-  if (auto err = outimg->add_plane2(heif_channel_Y, width, height, bpp_y) ||
-                 outimg->add_plane2(heif_channel_Cb, cwidth, cheight, bpp_cb) ||
-                 outimg->add_plane2(heif_channel_Cr, cwidth, cheight, bpp_cr)) {
+  if (auto err = outimg->add_plane(heif_channel_Y, width, height, bpp_y, limits) ||
+                 outimg->add_plane(heif_channel_Cb, cwidth, cheight, bpp_cb, limits) ||
+                 outimg->add_plane(heif_channel_Cr, cwidth, cheight, bpp_cr, limits)) {
     return err;
   }
 
   if (has_alpha) {
-    if (auto err = outimg->add_plane2(heif_channel_Alpha, width, height, bpp_a)) {
+    if (auto err = outimg->add_plane(heif_channel_Alpha, width, height, bpp_a, limits)) {
       return err;
     }
   }
@@ -297,7 +298,8 @@ Result<std::shared_ptr<HeifPixelImage>>
 Op_YCbCr444_to_YCbCr422_average<Pixel>::convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                                                            const ColorState& input_state,
                                                            const ColorState& target_state,
-                                                           const heif_color_conversion_options& options) const
+                                                           const heif_color_conversion_options& options,
+                                                           const heif_security_limits* limits) const
 {
   bool hdr = !std::is_same<Pixel, uint8_t>::value;
 
@@ -347,14 +349,14 @@ Op_YCbCr444_to_YCbCr422_average<Pixel>::convert_colorspace(const std::shared_ptr
   uint32_t cwidth = (width + 1) / 2;
   uint32_t cheight = height;
 
-  if (auto err = outimg->add_plane2(heif_channel_Y, width, height, bpp_y) ||
-                 outimg->add_plane2(heif_channel_Cb, cwidth, cheight, bpp_cb) ||
-                 outimg->add_plane2(heif_channel_Cr, cwidth, cheight, bpp_cr)) {
+  if (auto err = outimg->add_plane(heif_channel_Y, width, height, bpp_y, limits) ||
+                 outimg->add_plane(heif_channel_Cb, cwidth, cheight, bpp_cb, limits) ||
+                 outimg->add_plane(heif_channel_Cr, cwidth, cheight, bpp_cr, limits)) {
     return err;
   }
 
   if (has_alpha) {
-    if (auto err = outimg->add_plane2(heif_channel_Alpha, width, height, bpp_a)) {
+    if (auto err = outimg->add_plane(heif_channel_Alpha, width, height, bpp_a, limits)) {
       return err;
     }
   }
@@ -491,7 +493,8 @@ Result<std::shared_ptr<HeifPixelImage>>
 Op_YCbCr420_bilinear_to_YCbCr444<Pixel>::convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                                                             const ColorState& input_state,
                                                             const ColorState& target_state,
-                                                            const heif_color_conversion_options& options) const
+                                                            const heif_color_conversion_options& options,
+                                                            const heif_security_limits* limits) const
 {
   bool hdr = !std::is_same<Pixel, uint8_t>::value;
 
@@ -538,14 +541,14 @@ Op_YCbCr420_bilinear_to_YCbCr444<Pixel>::convert_colorspace(const std::shared_pt
 
   outimg->create(width, height, heif_colorspace_YCbCr, heif_chroma_444);
 
-  if (auto err = outimg->add_plane2(heif_channel_Y, width, height, bpp_y) ||
-                 outimg->add_plane2(heif_channel_Cb, width, height, bpp_cb) ||
-                 outimg->add_plane2(heif_channel_Cr, width, height, bpp_cr)) {
+  if (auto err = outimg->add_plane(heif_channel_Y, width, height, bpp_y, limits) ||
+                 outimg->add_plane(heif_channel_Cb, width, height, bpp_cb, limits) ||
+                 outimg->add_plane(heif_channel_Cr, width, height, bpp_cr, limits)) {
     return err;
   }
 
   if (has_alpha) {
-    if (auto err = outimg->add_plane2(heif_channel_Alpha, width, height, bpp_a)) {
+    if (auto err = outimg->add_plane(heif_channel_Alpha, width, height, bpp_a, limits)) {
       return err;
     }
   }
@@ -768,7 +771,8 @@ Result<std::shared_ptr<HeifPixelImage>>
 Op_YCbCr422_bilinear_to_YCbCr444<Pixel>::convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                                                             const ColorState& input_state,
                                                             const ColorState& target_state,
-                                                            const heif_color_conversion_options& options) const
+                                                            const heif_color_conversion_options& options,
+                                                            const heif_security_limits* limits) const
 {
   bool hdr = !std::is_same<Pixel, uint8_t>::value;
 
@@ -815,14 +819,14 @@ Op_YCbCr422_bilinear_to_YCbCr444<Pixel>::convert_colorspace(const std::shared_pt
 
   outimg->create(width, height, heif_colorspace_YCbCr, heif_chroma_444);
 
-  if (auto err = outimg->add_plane2(heif_channel_Y, width, height, bpp_y) ||
-                 outimg->add_plane2(heif_channel_Cb, width, height, bpp_cb) ||
-                 outimg->add_plane2(heif_channel_Cr, width, height, bpp_cr)) {
+  if (auto err = outimg->add_plane(heif_channel_Y, width, height, bpp_y, limits) ||
+                 outimg->add_plane(heif_channel_Cb, width, height, bpp_cb, limits) ||
+                 outimg->add_plane(heif_channel_Cr, width, height, bpp_cr, limits)) {
     return err;
   }
 
   if (has_alpha) {
-    if (auto err = outimg->add_plane2(heif_channel_Alpha, width, height, bpp_a)) {
+    if (auto err = outimg->add_plane(heif_channel_Alpha, width, height, bpp_a, limits)) {
       return err;
     }
   }

libheif/color-conversion/chroma_sampling.h

@@ -41,7 +41,8 @@ class Op_YCbCr444_to_YCbCr420_average : public ColorConversionOperation
   convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                      const ColorState& input_state,
                      const ColorState& target_state,
-                     const heif_color_conversion_options& options) const override;
+                     const heif_color_conversion_options& options,
+                     const heif_security_limits* limits) const override;
 };
 
 
@@ -58,7 +59,8 @@ class Op_YCbCr444_to_YCbCr422_average : public ColorConversionOperation
   convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                      const ColorState& input_state,
                      const ColorState& target_state,
-                     const heif_color_conversion_options& options) const override;
+                     const heif_color_conversion_options& options,
+                     const heif_security_limits* limits) const override;
 };
 
 
@@ -77,7 +79,8 @@ class Op_YCbCr420_bilinear_to_YCbCr444 : public ColorConversionOperation
   convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                      const ColorState& input_state,
                      const ColorState& target_state,
-                     const heif_color_conversion_options& options) const override;
+                     const heif_color_conversion_options& options,
+                     const heif_security_limits* limits) const override;
 };
 
 template <class Pixel>
@@ -93,7 +96,8 @@ class Op_YCbCr422_bilinear_to_YCbCr444 : public ColorConversionOperation
   convert_colorspace(const std::shared_ptr<const HeifPixelImage>& input,
                      const ColorState& input_state,
                      const ColorState& target_state,
-                     const heif_color_conversion_options& options) const override;
+                     const heif_color_conversion_options& options,
+                     const heif_security_limits* limits) const override;
 };
 
 #endif //LIBHEIF_CHROMA_SAMPLING_H