Prevent OOM in ICO due to PNG #2682
Merged
+6
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
197g
approved these changes
Dec 1, 2025
Member
197g
left a comment
197g
left a comment
There was a problem hiding this comment.
Sure. We'll mostly use those as default limits. Restricting the png to the dimensions indicated in the ICO is neat for this version. I expect that #2672 will touch this in the rework (it already adds an implementation of ImageDecoder::set_limits to dispatch) but it won't hurt to start from a sane default.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
resolves #1746
While investigating #1746, I was unable to reproduce any of the OOM, so I suspect that some safety mechanism in PNG defeated the malicious inputs.
However, I went one step further to ensure that similar inputs can't allocate excessive amounts of memory. Since the size of the PNG is known beforehand, I used PNGs
with_limitsconstructor to pass in size and memory limits specific to the icon being decoded. For the memory limit, I used double the maximum uncompressed image size (512KiB). Assuming that PNG implements limits correctly, PNG OOM should never be an issue for ICO again.