Limit SVG stream length to 1 MB

2026-04-27 03:14:46 +02:00 · 2025-01-03 19:02:23 +01:00
parent c4803086d3
commit a7f7424cb1
2 changed files with 37 additions and 2 deletions
--- a/app/src/main/java/eu/faircode/email/Helper.java
+++ b/app/src/main/java/eu/faircode/email/Helper.java
@@ -153,6 +153,7 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
+import java.io.FilterInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -3849,4 +3850,37 @@ public class Helper {
        ActivityManager am = Helper.getSystemService(context, ActivityManager.class);
        am.clearApplicationUserData();
    }
+
+    static class MaximumLengthStream extends FilterInputStream {
+        private int max;
+        private int count = 0;
+
+        protected MaximumLengthStream(InputStream in, int max) {
+            super(in);
+            this.max = max;
+        }
+
+        @Override
+        public int read() throws IOException {
+            int b = super.read();
+            if (b >= 0 && ++count > max)
+                throw new IOException("Stream larger than " + max + " bytes");
+            return b;
+        }
+
+        @Override
+        public int read(byte[] b) throws IOException {
+            for (int i = 0; i < b.length; i++) {
+                b[i] = (byte) read();
+                if (b[i] < 0)
+                    return i;
+            }
+            return b.length;
+        }
+
+        @Override
+        public int read(byte[] b, int off, int len) throws IOException {
+            throw new UnsupportedOperationException();
+        }
+    }
 }
--- a/app/src/main/java/eu/faircode/email/ImageHelper.java
+++ b/app/src/main/java/eu/faircode/email/ImageHelper.java
@@ -86,6 +86,7 @@ class ImageHelper {
    private static final int MAX_PROBE = 128 * 1024; // bytes
    private static final int SLOW_CONNECTION = 2 * 1024; // Kbps
    private static final int MAX_BITMAP_SIZE = 100 * 1024 * 1024; // RecordingCanvas.MAX_BITMAP_SIZE
+    private static final int MAX_SVG_SIZE = 1024 * 1024; // bytes

    // https://developer.android.com/guide/topics/media/media-formats#image-formats
    static final List<String> IMAGE_TYPES = Collections.unmodifiableList(Arrays.asList(
@@ -277,8 +278,8 @@ class ImageHelper {
    }

    @NonNull
-    static Bitmap renderSvg(InputStream is, int fillColor, int scaleToPixels) throws IOException {
-        try {
+    static Bitmap renderSvg(InputStream _is, int fillColor, int scaleToPixels) throws IOException {
+        try (InputStream is = new Helper.MaximumLengthStream(_is, 1024 * 1024)) {
            // https://bugzilla.mozilla.org/show_bug.cgi?id=455100
            // https://bug1105796.bmoattachments.org/attachment.cgi?id=8529795
            // https://github.com/BigBadaboom/androidsvg/issues/122#issuecomment-361902061