diff --git a/libs/image/src/LinearImage.cpp b/libs/image/src/LinearImage.cpp index 112e2002e9a4..529f581a9fe4 100644 --- a/libs/image/src/LinearImage.cpp +++ b/libs/image/src/LinearImage.cpp @@ -16,14 +16,22 @@ #include +#include + #include // for memset #include +#include +#include + namespace image { struct LinearImage::SharedReference { SharedReference(uint32_t width, uint32_t height, uint32_t channels) { - const uint32_t nfloats = width * height * channels; + const uint64_t nfloats64 = (uint64_t)width * (uint64_t)height * (uint64_t)channels; + FILAMENT_CHECK_PRECONDITION(nfloats64 <= UINT32_MAX && nfloats64 <= (std::numeric_limits::max() / sizeof(float))) + << "LinearImage allocation size is too large"; + const uint32_t nfloats = (uint32_t)nfloats64; float* floats = new float[nfloats]; memset(floats, 0, sizeof(float) * nfloats); pixels = std::shared_ptr(floats, std::default_delete()); diff --git a/libs/imageio/src/ImageDecoder.cpp b/libs/imageio/src/ImageDecoder.cpp index b0126a167b86..6a4caf8da50b 100644 --- a/libs/imageio/src/ImageDecoder.cpp +++ b/libs/imageio/src/ImageDecoder.cpp @@ -373,6 +373,19 @@ LinearImage PSDDecoder::decode() { uint32_t width = ntohl(h.width); uint32_t height = ntohl(h.height); + if (width == 0 || height == 0) { + throw std::runtime_error("invalid PSD dimensions: width and height must be non-zero"); + } + + // According to the PSD format specification, the maximum supported dimension + // for a PSD file is 30,000 pixels. Images larger than 30,000 pixels require + // the PSB (Photoshop Big) format, which is currently not supported. + // Enforcing this limit natively prevents integer overflow vulnerabilities + // during subsequent memory allocation. + if (width > 30000 || height > 30000) { + throw std::runtime_error("PSD dimensions exceed maximum allowed size (30,000 pixels)"); + } + uint32_t length; // color mode data section