From b5a9ce7816f8b2459febc406e48b4da147b54700 Mon Sep 17 00:00:00 2001 From: Kelsi Date: Wed, 6 May 2026 06:09:13 -0700 Subject: [PATCH] fix(assets): cap PNG override texture dimensions at 8K to prevent OOM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stbi_load happily decodes any PNG up to 32K x 32K — at 4 bytes/pixel that's 4GB which OOMs the editor before the override even returns. WoW textures top out at 4K; 8K cap leaves headroom for HD upgrades without enabling abuse. Also widens the wxh multiplication to size_t to defeat int overflow on 8K x 8K images. --- src/pipeline/asset_manager.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/pipeline/asset_manager.cpp b/src/pipeline/asset_manager.cpp index 504eed71..95e90370 100644 --- a/src/pipeline/asset_manager.cpp +++ b/src/pipeline/asset_manager.cpp @@ -261,6 +261,13 @@ BLPImage AssetManager::tryLoadPngOverride(const std::string& normalizedPath) con LOG_WARNING("PNG override exists but failed to load: ", pngPath); return BLPImage(); } + // Cap texture dimensions. WoW textures top out at 4K; stbi can return + // 32K x 32K which would allocate 4GB on a malicious PNG. + if (w <= 0 || h <= 0 || w > 8192 || h > 8192) { + LOG_WARNING("PNG override dimensions out of range (", w, "x", h, "): ", pngPath); + stbi_image_free(pixels); + return BLPImage(); + } BLPImage image; image.width = w; @@ -268,7 +275,7 @@ BLPImage AssetManager::tryLoadPngOverride(const std::string& normalizedPath) con image.channels = 4; image.format = BLPFormat::BLP2; image.compression = BLPCompression::ARGB8888; - image.data.assign(pixels, pixels + (w * h * 4)); + image.data.assign(pixels, pixels + (static_cast(w) * h * 4)); stbi_image_free(pixels); LOG_INFO("PNG override loaded: ", pngPath, " (", w, "x", h, ")");