Validate decoded image dimensions

They are expected to be a certain size, so verify this so no server tries to do something broken.
2019-12-23 15:37:48 +01:00 · 2019-12-23 15:37:48 +01:00 · 4babdf33bd
parent b8d1a8bb57
commit 4babdf33bd
4 changed files with 13 additions and 5 deletions
--- a/core/decoders/tight.js
+++ b/core/decoders/tight.js
@ -92,7 +92,7 @@ export default class TightDecoder {
            return false;
        }

-        display.imageRect(x, y, "image/jpeg", data);
+        display.imageRect(x, y, width, height, "image/jpeg", data);

        return true;
    }
--- a/core/decoders/tightpng.js
+++ b/core/decoders/tightpng.js
@ -16,7 +16,7 @@ export default class TightPNGDecoder extends TightDecoder {
            return false;
        }

-        display.imageRect(x, y, "image/png", data);
+        display.imageRect(x, y, width, height, "image/png", data);

        return true;
    }
--- a/core/display.js
+++ b/core/display.js
@ -359,14 +359,16 @@ export default class Display {
        }
    }

-    imageRect(x, y, mime, arr) {
+    imageRect(x, y, width, height, mime, arr) {
        const img = new Image();
        img.src = "data: " + mime + ";base64," + Base64.encode(arr);
        this._renderQ_push({
            'type': 'img',
            'img': img,
            'x': x,
-            'y': y
+            'y': y,
+            'width': width,
+            'height': height
        });
    }

@ -616,6 +618,12 @@ export default class Display {
                    break;
                case 'img':
                    if (a.img.complete) {
+                        if (a.img.width !== a.width || a.img.height !== a.height) {
+                            Log.Error("Decoded image has incorrect dimensions. Got " +
+                                      a.img.width + "x" + a.img.height + ". Expected " +
+                                      a.width + "x" + a.height + ".");
+                            return;
+                        }
                        this.drawImage(a.img, a.x, a.y);
                    } else {
                        a.img._noVNC_display = this;
--- a/docs/API-internal.md
+++ b/docs/API-internal.md
@ -103,7 +103,7 @@ None
 | flush              | ()                                                      | Resume processing the render queue unless it's empty
 | fillRect           | (x, y, width, height, color, from_queue)                | Draw a filled in rectangle
 | copyImage          | (old_x, old_y, new_x, new_y, width, height, from_queue) | Copy a rectangular area
-| imageRect          | (x, y, mime, arr)                                       | Draw a rectangle with an image
+| imageRect          | (x, y, width, height, mime, arr)                        | Draw a rectangle with an image
 | startTile          | (x, y, width, height, color)                            | Begin updating a tile
 | subTile            | (tile, x, y, w, h, color)                               | Update a sub-rectangle within the given tile
 | finishTile         | ()                                                      | Draw the current tile to the display