jxl: adjust metadata size limits

Previously there was no limit for uncompressed metadata,
but when compressed metadata required buffer larger than 4MB,
image decoding stopped.

Now the plugin discards/skips metadata boxes larger than 8MB
without stopping image decoding.
If size of compressed box is above 8MB,
we do not attempt to decompress it.
File with compressed metadata could be rejected only in rare cases
when the decompression buffer grows above 32MB (four times 8M).

CMakeLists.txt

@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.27)
 
-set(KF_VERSION "6.23.0") # handled by release scripts
+set(KF_VERSION "6.24.0") # handled by release scripts
 set(KF_DEP_VERSION "6.23.0") # handled by release scripts
 project(KImageFormats VERSION ${KF_VERSION})
 
@@ -106,7 +106,7 @@ add_feature_info(LibJXR LibJXR_FOUND "required for the QImage plugin for JPEG XR
 
 ecm_set_disabled_deprecation_versions(
     QT 6.11.0
-    KF 6.21.0
+    KF 6.23.0
 )
 
 add_subdirectory(src)

src/imageformats/ani.cpp

@@ -5,6 +5,7 @@
 */
 
 #include "ani_p.h"
+#include "util_p.h"
 
 #include <QImage>
 #include <QLoggingCategory>
@@ -101,7 +102,7 @@ bool ANIHandler::read(QImage *outImage)
     }
 
     const auto frameSize = *(reinterpret_cast<const quint32_le *>(frameSizeData.data()));
-    if (!frameSize) {
+    if (!frameSize || frameSize > quint32(kMaxQVectorSize)) {
         return false;
     }
 

src/imageformats/chunks.cpp

@@ -2538,7 +2538,7 @@ static QByteArray decompressVdat(const QByteArray &comp)
 static QByteArray vdatToIlbmPlane(const QByteArray &vdatData, const BMHDChunk *header)
 {
     QByteArray ba(vdatData.size(), char());
-    auto rowLen = header->rowLen();
+    auto rowLen = qint32(header->rowLen());
     for (auto x = 0, n = 0; x < rowLen; x += 2) {
         for (auto y = 0, off = x, h = header->height(); y < h; y++, off += rowLen) {
             if ((off + 1 >= ba.size()) || n + 1 >= vdatData.size()) {
@@ -2844,7 +2844,7 @@ bool PLTEChunk::isValid() const
     if (dataBytes() < 4) {
         return false;
     }
-    if (dataBytes() - 4 < total() * 3) {
+    if (dataBytes() - 4 < quint32(total()) * 3) {
         return false;
     }
     return chunkId() == PLTEChunk::defaultChunkId();

src/imageformats/jxl.cpp

@@ -2008,6 +2008,11 @@ bool QJpegXLHandler::extractBox(QByteArray &output, size_t container_size)
         return false;
     }
 
+    if (rawboxsize > 8388608) { // 8MB limit
+        qCWarning(LOG_JXLPLUGIN, "Skipped decoding of big JXL metadata box");
+        return true;
+    }
+
     output.resize(rawboxsize);
     status = JxlDecoderSetBoxBuffer(m_decoder, reinterpret_cast<uint8_t *>(output.data()), output.size());
     if (status != JXL_DEC_SUCCESS) {
@@ -2021,7 +2026,7 @@ bool QJpegXLHandler::extractBox(QByteArray &output, size_t container_size)
         if (status == JXL_DEC_BOX_NEED_MORE_OUTPUT) {
             size_t bytes_remains = JxlDecoderReleaseBoxBuffer(m_decoder);
 
-            if (output.size() > 4194304) { // approx. 4MB limit for decompressed metadata box
+            if (output.size() > 33554432) { // approx. 32MB (4*8) limit for decompressed metadata box
                 qCWarning(LOG_JXLPLUGIN, "JXL metadata box is too large");
                 m_parseState = ParseJpegXLError;
                 return false;

src/imageformats/psd.cpp

@@ -1017,7 +1017,7 @@ inline void rawChannelCopy(uchar *target, qint32 targetChannels, qint32 targetCh
 
 
 template<class T>
-inline void cmykToRgb(uchar *target, qint32 targetChannels, const char *source, qint32 sourceChannels, qint32 width, bool alpha = false)
+inline bool cmykToRgb(uchar *target, qint32 targetChannels, const char *source, qint32 sourceChannels, qint32 width, bool alpha = false)
 {
     auto s = reinterpret_cast<const T*>(source);
     auto t = reinterpret_cast<T*>(target);
@@ -1026,7 +1026,7 @@ inline void cmykToRgb(uchar *target, qint32 targetChannels, const char *source,
 
     if (sourceChannels < 2) {
         qCDebug(LOG_PSDPLUGIN) << "cmykToRgb: image is not a valid MCH/CMYK!";
-        return;
+        return false;
     }
 
     for (qint32 w = 0; w < width; ++w) {
@@ -1047,6 +1047,7 @@ inline void cmykToRgb(uchar *target, qint32 targetChannels, const char *source,
                 *(pt + 3) = std::numeric_limits<T>::max();
         }
     }
+    return true;
 }
 
 inline double finv(double v)
@@ -1066,7 +1067,7 @@ inline double gammaCorrection(double linear)
 }
 
 template<class T>
-inline void labToRgb(uchar *target, qint32 targetChannels, const char *source, qint32 sourceChannels, qint32 width, bool alpha = false)
+inline bool labToRgb(uchar *target, qint32 targetChannels, const char *source, qint32 sourceChannels, qint32 width, bool alpha = false)
 {
     auto s = reinterpret_cast<const T*>(source);
     auto t = reinterpret_cast<T*>(target);
@@ -1075,7 +1076,7 @@ inline void labToRgb(uchar *target, qint32 targetChannels, const char *source, q
 
     if (sourceChannels < 3) {
         qCDebug(LOG_PSDPLUGIN) << "labToRgb: image is not a valid LAB!";
-        return;
+        return false;
     }
 
     for (qint32 w = 0; w < width; ++w) {
@@ -1110,6 +1111,7 @@ inline void labToRgb(uchar *target, qint32 targetChannels, const char *source, q
                 *(pt + 3) = std::numeric_limits<T>::max();
         }
     }
+    return true;
 }
 
 bool readChannel(QByteArray &target, QDataStream &stream, quint32 compressedSize, quint16 compression)
@@ -1450,10 +1452,13 @@ bool PSDHandler::read(QImage *image)
             // Conversion to RGB
             if (header.color_mode == CM_CMYK || header.color_mode == CM_MULTICHANNEL) {
                 if (tmpCmyk.isNull()) {
-                    if (header.depth == 8)
-                        cmykToRgb<quint8>(img.scanLine(y), imgChannels, psdScanline.data(), header.channel_count, header.width, alpha);
-                    else if (header.depth == 16)
-                        cmykToRgb<quint16>(img.scanLine(y), imgChannels, psdScanline.data(), header.channel_count, header.width, alpha);
+                    if (header.depth == 8) {
+                        if (!cmykToRgb<quint8>(img.scanLine(y), imgChannels, psdScanline.data(), header.channel_count, header.width, alpha))
+                            return false;
+                    } else if (header.depth == 16) {
+                        if (!cmykToRgb<quint16>(img.scanLine(y), imgChannels, psdScanline.data(), header.channel_count, header.width, alpha))
+                            return false;
+                    }
                 } else if (header.depth == 8) {
                     rawChannelsCopyToCMYK<quint8>(tmpCmyk.bits(), 4, psdScanline.data(), header.channel_count, header.width);
                     if (auto rgbPtr = iccConv.convertedScanLine(tmpCmyk, 0))
@@ -1469,10 +1474,13 @@ bool PSDHandler::read(QImage *image)
                 }
             }
             if (header.color_mode == CM_LABCOLOR) {
-                if (header.depth == 8)
-                    labToRgb<quint8>(img.scanLine(y), imgChannels, psdScanline.data(), header.channel_count, header.width, alpha);
-                else if (header.depth == 16)
-                    labToRgb<quint16>(img.scanLine(y), imgChannels, psdScanline.data(), header.channel_count, header.width, alpha);
+                if (header.depth == 8) {
+                    if (!labToRgb<quint8>(img.scanLine(y), imgChannels, psdScanline.data(), header.channel_count, header.width, alpha))
+                        return false;
+                } else if (header.depth == 16) {
+                    if (!labToRgb<quint16>(img.scanLine(y), imgChannels, psdScanline.data(), header.channel_count, header.width, alpha))
+                        return false;
+                }
             }
             if (header.color_mode == CM_RGB) {
                 if (header.depth == 8)

src/imageformats/rgb.cpp

@@ -319,7 +319,10 @@ bool SGIImagePrivate::readImage(QImage &img)
 
     if (_rle) {
         uint l;
-        _starttab = new quint32[_numrows];
+        _starttab = new (std::nothrow) quint32[_numrows];
+        if (_starttab == nullptr) {
+            return false;
+        }
         for (l = 0; !_stream.atEnd() && l < _numrows; l++) {
             _stream >> _starttab[l];
             _starttab[l] -= 512 + _numrows * 2 * sizeof(quint32);
@@ -331,7 +334,10 @@ bool SGIImagePrivate::readImage(QImage &img)
             _starttab[l] = 0;
         }
 
-        _lengthtab = new quint32[_numrows];
+        _lengthtab = new (std::nothrow) quint32[_numrows];
+        if (_lengthtab == nullptr) {
+            return false;
+        }
         for (l = 0; !_stream.atEnd() && l < _numrows; l++) {
             _stream >> _lengthtab[l];
             if (_stream.status() != QDataStream::Ok) {
@@ -794,7 +800,10 @@ bool SGIImagePrivate::writeImage(const QImage &image)
     _pixmax = 0;
     _colormap = NORMAL;
     _numrows = _ysize * _zsize;
-    _starttab = new quint32[_numrows];
+    _starttab = new (std::nothrow) quint32[_numrows];
+    if (_starttab == nullptr) {
+        return false;
+    }
     _rlemap.setBaseOffset(512 + _numrows * 2 * sizeof(quint32));
 
     if (!scanData(image, tfmt, tcs)) {

src/imageformats/tga.cpp

@@ -731,7 +731,7 @@ static bool LoadTGA(QIODevice *dev, const TgaHeader &tga, QImage &img)
                 if (div == 0)
                     hasAlpha = false;
                 for (int x = x_start; x != x_end; x += x_step) {
-                    const int alpha = hasAlpha ? int((src[3]) << (8 - numAlphaBits)) * 255 / div : 255;
+                    const int alpha = hasAlpha ? int(quint8(src[3]) << (8 - numAlphaBits)) * 255 / div : 255;
                     scanline[x] = qRgba(src[2], src[1], src[0], alpha);
                     src += 4;
                 }