glycin-ng 0.2.2

Permissively-licensed Rust image decoder library with in-process sandboxing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

//! Per-decode resource caps.

use std::time::Duration;

/// Resource ceilings applied to a single decode.
///
/// Limits are enforced in two places: pre-decode header inspection
/// (`max_width`, `max_height`, `max_pixels`, `max_frames`,
/// `max_animation_duration`) and process-wide `setrlimit` when the
/// sandbox is on (`decode_memory_mib` -> `RLIMIT_AS`,
/// `decode_cpu_seconds` -> `RLIMIT_CPU`).
///
/// Defaults are sized for ordinary desktop and server workloads.
/// Callers loading user-supplied images should keep them; callers
/// loading their own trusted assets can raise or remove them by
/// constructing the struct directly.
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
pub struct Limits {
    /// Maximum image width in pixels. Default: 32768.
    pub max_width: u32,
    /// Maximum image height in pixels. Default: 32768.
    pub max_height: u32,
    /// Maximum total pixels (width times height times frame count).
    /// Default: 256 MiPx.
    pub max_pixels: u64,
    /// Maximum animation frame count. Default: 1024.
    pub max_frames: u32,
    /// Maximum animation duration summed across frames. Default:
    /// 60 seconds.
    pub max_animation_duration: Duration,
    /// `RLIMIT_AS` cap in MiB applied when the sandbox is on.
    /// Default: 512.
    pub decode_memory_mib: u64,
    /// `RLIMIT_CPU` cap in seconds applied when the sandbox is on.
    /// Default: 30.
    pub decode_cpu_seconds: u64,
}

impl Default for Limits {
    fn default() -> Self {
        Self {
            max_width: 32_768,
            max_height: 32_768,
            max_pixels: 256 * 1024 * 1024,
            max_frames: 1024,
            max_animation_duration: Duration::from_secs(60),
            decode_memory_mib: 512,
            decode_cpu_seconds: 30,
        }
    }
}

impl Limits {
    /// All caps removed. Use only for trusted input.
    pub fn unlimited() -> Self {
        Self {
            max_width: u32::MAX,
            max_height: u32::MAX,
            max_pixels: u64::MAX,
            max_frames: u32::MAX,
            max_animation_duration: Duration::MAX,
            decode_memory_mib: u64::MAX,
            decode_cpu_seconds: u64::MAX,
        }
    }

    /// Reject the image if width times height exceeds `max_pixels` or
    /// either dimension exceeds its cap.
    ///
    /// `frames` is the number of frames the decoder will produce
    /// (1 for non-animated formats). Pre-decode header inspection
    /// should call this with the values pulled from the header.
    pub fn check_dimensions(&self, width: u32, height: u32, frames: u32) -> crate::Result<()> {
        if width > self.max_width {
            return Err(crate::Error::LimitExceeded("max_width"));
        }
        if height > self.max_height {
            return Err(crate::Error::LimitExceeded("max_height"));
        }
        if frames > self.max_frames {
            return Err(crate::Error::LimitExceeded("max_frames"));
        }
        let total = (width as u64)
            .checked_mul(height as u64)
            .and_then(|p| p.checked_mul(frames as u64));
        match total {
            Some(p) if p > self.max_pixels => Err(crate::Error::LimitExceeded("max_pixels")),
            None => Err(crate::Error::LimitExceeded("max_pixels")),
            Some(_) => Ok(()),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn defaults_match_documentation() {
        let d = Limits::default();
        assert_eq!(d.max_width, 32_768);
        assert_eq!(d.max_height, 32_768);
        assert_eq!(d.max_pixels, 256 * 1024 * 1024);
        assert_eq!(d.max_frames, 1024);
        assert_eq!(d.max_animation_duration, Duration::from_secs(60));
        assert_eq!(d.decode_memory_mib, 512);
        assert_eq!(d.decode_cpu_seconds, 30);
    }

    #[test]
    fn check_dimensions_accepts_small_images() {
        let l = Limits::default();
        l.check_dimensions(1920, 1080, 1).unwrap();
        l.check_dimensions(1, 1, 1).unwrap();
    }

    #[test]
    fn check_dimensions_rejects_huge_width() {
        let l = Limits::default();
        let e = l.check_dimensions(40_000, 100, 1).unwrap_err();
        assert!(matches!(e, crate::Error::LimitExceeded("max_width")));
    }

    #[test]
    fn check_dimensions_rejects_huge_pixels() {
        let l = Limits::default();
        let e = l.check_dimensions(20_000, 20_000, 1).unwrap_err();
        assert!(matches!(e, crate::Error::LimitExceeded("max_pixels")));
    }

    #[test]
    fn check_dimensions_rejects_overflow() {
        let l = Limits::unlimited();
        // Force the multiplication to overflow u64 even though limits
        // are unbounded; we still report a LimitExceeded.
        let e = l
            .check_dimensions(u32::MAX, u32::MAX, u32::MAX)
            .unwrap_err();
        assert!(matches!(e, crate::Error::LimitExceeded("max_pixels")));
    }

    #[test]
    fn check_dimensions_rejects_too_many_frames() {
        let l = Limits::default();
        let e = l.check_dimensions(10, 10, 2000).unwrap_err();
        assert!(matches!(e, crate::Error::LimitExceeded("max_frames")));
    }
}