Merge branch 'charlesmchen/gifOfDeath'

Signal.xcodeproj/project.pbxproj

@@ -1422,6 +1422,7 @@
 				45E615151E8C590B0018AD52 /* DisplayableTextFilter.swift */,
 				76EB04EA18170B33006006FC /* FunctionalUtil.h */,
 				76EB04EB18170B33006006FC /* FunctionalUtil.m */,
+				455AC69A1F4F79E500134004 /* ImageCache.swift */,
 				B62F5E0E1C2980B4000D370C /* NSData+ows_StripToken.h */,
 				B62F5E0F1C2980B4000D370C /* NSData+ows_StripToken.m */,
 				76EB04EC18170B33006006FC /* NumberUtil.h */,
@@ -1455,7 +1456,6 @@
 				76EB04FB18170B33006006FC /* Util.h */,
 				45F170D51E315310003FC1F2 /* Weak.swift */,
 				45F170CB1E310E22003FC1F2 /* WeakTimer.swift */,
-				455AC69A1F4F79E500134004 /* ImageCache.swift */,
 			);
 			path = util;
 			sourceTree = "<group>";
@@ -2580,7 +2580,11 @@
 					"DEBUG=1",
 					"$(inherited)",
 				);
-				"GCC_PREPROCESSOR_DEFINITIONS[arch=*]" = "DEBUG=1 $(inherited) SSK_BUILDING_FOR_TESTS=1";
+				"GCC_PREPROCESSOR_DEFINITIONS[arch=*]" = (
+					"DEBUG=1",
+					"$(inherited)",
+					"SSK_BUILDING_FOR_TESTS=1",
+				);
 				GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES;
 				GCC_TREAT_INCOMPATIBLE_POINTER_TYPE_WARNINGS_AS_ERRORS = YES;
 				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;

Signal/src/Models/TSMessageAdapaters/JSQMediaItem+OWS.m

@@ -6,6 +6,7 @@
 #import "NumberUtil.h"
 #import "UIDevice+TSHardwareVersion.h"
 #import <ImageIO/ImageIO.h>
+#import <SignalServiceKit/NSData+Image.h>
 
 @implementation JSQMediaItem (OWS)
 
@@ -42,6 +43,10 @@
 {
     OWSAssert(imageURL);
 
+    if (![NSData ows_isValidImageAtPath:imageURL.path]) {
+        return CGSizeZero;
+    }
+
     // With CGImageSource we avoid loading the whole image into memory.
     CGImageSourceRef source = CGImageSourceCreateWithURL((CFURLRef)imageURL, NULL);
     if (!source) {

Signal/src/Models/TSMessageAdapaters/TSAnimatedAdapter.m

@@ -12,6 +12,7 @@
 #import <JSQMessagesViewController/JSQMessagesMediaViewBubbleImageMasker.h>
 #import <MobileCoreServices/MobileCoreServices.h>
 #import <SignalServiceKit/MIMETypeUtil.h>
+#import <SignalServiceKit/NSData+Image.h>
 
 NS_ASSUME_NONNULL_BEGIN
 
@@ -108,6 +109,9 @@ NS_ASSUME_NONNULL_BEGIN
             view.backgroundColor = [UIColor colorWithWhite:0.85f alpha:1.f];
             return view;
         }
+        if (![fileData ows_isValidImage]) {
+            return nil;
+        }
         FLAnimatedImage *animatedGif = [FLAnimatedImage animatedImageWithGIFData:fileData];
         FLAnimatedImageView *imageView = [[FLAnimatedImageView alloc] init];
         imageView.animatedImage        = animatedGif;

Signal/src/Profiles/OWSProfileManager.m

@@ -7,6 +7,7 @@
 #import "NSString+OWS.h"
 #import "Signal-Swift.h"
 #import <SignalServiceKit/Cryptography.h>
+#import <SignalServiceKit/NSData+Image.h>
 #import <SignalServiceKit/NSData+hexString.h>
 #import <SignalServiceKit/NSDate+OWS.h>
 #import <SignalServiceKit/OWSMessageSender.h>
@@ -1333,7 +1334,11 @@ const NSUInteger kOWSProfileManager_MaxAvatarDiameter = 640;
 {
     OWSAssert(filename.length > 0);
 
-    UIImage *_Nullable image = [UIImage imageWithData:[self loadProfileDataWithFilename:filename]];
+    NSData *data = [self loadProfileDataWithFilename:filename];
+    if (![data ows_isValidImage]) {
+        return nil;
+    }
+    UIImage *_Nullable image = [UIImage imageWithData:data];
     return image;
 }
 

Signal/src/Signal-Bridging-Header.h

@@ -48,6 +48,7 @@
 #import <SignalServiceKit/Cryptography.h>
 #import <SignalServiceKit/MIMETypeUtil.h>
 #import <SignalServiceKit/NSData+Base64.h>
+#import <SignalServiceKit/NSData+Image.h>
 #import <SignalServiceKit/NSDate+millisecondTimeStamp.h>
 #import <SignalServiceKit/NSTimer+OWS.h>
 #import <SignalServiceKit/OWSAcknowledgeMessageDeliveryRequest.h>

Signal/src/ViewControllers/AttachmentApprovalViewController.swift

@@ -171,8 +171,13 @@ class AttachmentApprovalViewController: OWSViewController, OWSAudioAttachmentPla
     }
 
     private func createAnimatedPreview(attachmentPreviewView: UIView) {
+        let data = attachment.data
+        guard (data as NSData).ows_isValidImage() else {
+            return
+        }
+
         // Use Flipboard FLAnimatedImage library to display gifs
-        guard let animatedImage = FLAnimatedImage(gifData:attachment.data) else {
+        guard let animatedImage = FLAnimatedImage(gifData:data) else {
             createGenericPreview(attachmentPreviewView:attachmentPreviewView)
             return
         }

Signal/src/ViewControllers/FullImageViewController.m

@@ -2,15 +2,16 @@
 //  Copyright (c) 2017 Open Whisper Systems. All rights reserved.
 //
 
-#import "FLAnimatedImage.h"
 #import "FullImageViewController.h"
-#import "UIUtil.h"
-#import "UIView+OWS.h"
-#import "TSPhotoAdapter.h"
-#import "TSMessageAdapter.h"
+#import "AttachmentSharing.h"
+#import "FLAnimatedImage.h"
 #import "TSAnimatedAdapter.h"
+#import "TSMessageAdapter.h"
+#import "TSPhotoAdapter.h"
 #import "UIColor+OWS.h"
-#import "AttachmentSharing.h"
+#import "UIUtil.h"
+#import "UIView+OWS.h"
+#import <SignalServiceKit/NSData+Image.h>
 
 NS_ASSUME_NONNULL_BEGIN
 
@@ -168,14 +169,18 @@ NS_ASSUME_NONNULL_BEGIN
 
 - (void)initializeImageView {
     if (self.isAnimated) {
-        // Present the animated image using Flipboard/FLAnimatedImage
-        FLAnimatedImage *animatedGif   = [FLAnimatedImage animatedImageWithGIFData:self.fileData];
-        FLAnimatedImageView *imageView = [[FLAnimatedImageView alloc] init];
-        imageView.animatedImage        = animatedGif;
-        imageView.frame                = self.originRect;
-        imageView.contentMode          = UIViewContentModeScaleAspectFill;
-        imageView.clipsToBounds        = YES;
-        self.imageView                 = imageView;
+        if ([self.fileData ows_isValidImage]) {
+            // Present the animated image using Flipboard/FLAnimatedImage
+            FLAnimatedImage *animatedGif = [FLAnimatedImage animatedImageWithGIFData:self.fileData];
+            FLAnimatedImageView *imageView = [[FLAnimatedImageView alloc] init];
+            imageView.animatedImage = animatedGif;
+            imageView.frame = self.originRect;
+            imageView.contentMode = UIViewContentModeScaleAspectFill;
+            imageView.clipsToBounds = YES;
+            self.imageView = imageView;
+        } else {
+            self.imageView = [[UIImageView alloc] initWithFrame:self.originRect];
+        }
     } else {
         // Present the static image using standard UIImageView
         self.imageView                              = [[UIImageView alloc] initWithFrame:self.originRect];

Signal/src/util/UIUtil.h

@@ -1,9 +1,12 @@
+//
+//  Copyright (c) 2017 Open Whisper Systems. All rights reserved.
+//
+
 #import <Foundation/Foundation.h>
 
 #import "MIMETypeUtil.h"
 #import "UIColor+OWS.h"
 #import "UIFont+OWS.h"
-#import "UIImage+contentTypes.h"
 #import "UIImage+normalizeImage.h"
 
 typedef void (^completionBlock)(void);

Signal/src/views/OWSOutgoingMessageCollectionViewCell.m

@@ -3,7 +3,6 @@
 //
 
 #import "OWSOutgoingMessageCollectionViewCell.h"
-#import "FLAnimatedImageView.h"
 #import "OWSExpirationTimerView.h"
 #import "UIView+OWS.h"
 #import <JSQMessagesViewController/JSQMediaItem.h>

SignalServiceKit/src/Messages/Attachments/TSAttachmentStream.m

@@ -4,6 +4,7 @@
 
 #import "TSAttachmentStream.h"
 #import "MIMETypeUtil.h"
+#import "NSData+Image.h"
 #import "TSAttachmentPointer.h"
 #import <AVFoundation/AVFoundation.h>
 #import <ImageIO/ImageIO.h>
@@ -257,7 +258,11 @@ NS_ASSUME_NONNULL_BEGIN
         if (!mediaUrl) {
             return nil;
         }
-        return [UIImage imageWithData:[NSData dataWithContentsOfURL:mediaUrl]];
+        NSData *data = [NSData dataWithContentsOfURL:mediaUrl];
+        if (![data ows_isValidImage]) {
+            return nil;
+        }
+        return [UIImage imageWithData:data];
     } else {
         return nil;
     }
@@ -314,6 +319,9 @@ NS_ASSUME_NONNULL_BEGIN
         if (!mediaUrl) {
             return CGSizeZero;
         }
+        if (![NSData ows_isValidImageAtPath:mediaUrl.path]) {
+            return CGSizeZero;
+        }
 
         // With CGImageSource we avoid loading the whole image into memory.
         CGImageSourceRef source = CGImageSourceCreateWithURL((CFURLRef)mediaUrl, NULL);

SignalServiceKit/src/Util/MIMETypeUtil.m

@@ -4,7 +4,6 @@
 
 #import "MIMETypeUtil.h"
 #if TARGET_OS_IPHONE
-#import "UIImage+contentTypes.h"
 #import <MobileCoreServices/MobileCoreServices.h>
 #else
 #import <CoreServices/CoreServices.h>

SignalServiceKit/src/Util/NSData+Image.h

@@ -0,0 +1,12 @@
+//
+//  Copyright (c) 2017 Open Whisper Systems. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+@interface NSData (Image)
+
++ (BOOL)ows_isValidImageAtPath:(NSString *)filePath;
+- (BOOL)ows_isValidImage;
+
+@end

SignalServiceKit/src/Util/NSData+Image.m

@@ -0,0 +1,140 @@
+//
+//  Copyright (c) 2017 Open Whisper Systems. All rights reserved.
+//
+
+#import "NSData+Image.h"
+
+typedef NS_ENUM(NSInteger, ImageFormat) {
+    ImageFormat_Unknown,
+    ImageFormat_Png,
+    ImageFormat_Gif,
+    ImageFormat_Tiff,
+    ImageFormat_Jpeg,
+    ImageFormat_Bmp,
+};
+
+@implementation NSData (Image)
+
++ (BOOL)ows_isValidImageAtPath:(NSString *)filePath
+{
+    NSError *error = nil;
+    NSData *data = [NSData dataWithContentsOfFile:filePath options:NSDataReadingMappedIfSafe error:&error];
+    if (error) {
+        DDLogError(@"%@ could not read image data: %@", self.tag, error);
+    }
+
+    return [data ows_isValidImage];
+}
+
+- (BOOL)ows_isValidImage
+{
+    // Don't trust the file extension; iOS (e.g. UIKit, Core Graphics) will happily
+    // load a .gif with a .png file extension.
+    //
+    // Instead, use the "magic numbers" in the file data to determine the image format.
+    ImageFormat imageFormat = [self ows_guessImageFormat];
+    if (imageFormat == ImageFormat_Gif) {
+        return [self ows_hasValidGifSize];
+    } else if (imageFormat == ImageFormat_Unknown) {
+        return NO;
+    } else {
+        return YES;
+    }
+}
+
+- (ImageFormat)ows_guessImageFormat
+{
+    const NSUInteger kTwoBytesLength = 2;
+    if (self.length < kTwoBytesLength) {
+        return ImageFormat_Unknown;
+    }
+
+    unsigned char bytes[kTwoBytesLength];
+    [self getBytes:&bytes range:NSMakeRange(0, kTwoBytesLength)];
+
+    unsigned char byte0 = bytes[0];
+    unsigned char byte1 = bytes[1];
+
+    if (byte0 == 0x47 && byte1 == 0x49) {
+        return ImageFormat_Gif;
+    } else if (byte0 == 0x89 && byte1 == 0x50) {
+        return ImageFormat_Png;
+    } else if (byte0 == 0xff && byte1 == 0xd8) {
+        return ImageFormat_Jpeg;
+    } else if (byte0 == 0x42 && byte1 == 0x4d) {
+        return ImageFormat_Bmp;
+    } else if (byte0 == 0x4D && byte1 == 0x4D) {
+        // Motorola byte order TIFF
+        return ImageFormat_Tiff;
+    } else if (byte0 == 0x49 && byte1 == 0x49) {
+        // Intel byte order TIFF
+        return ImageFormat_Tiff;
+    }
+
+    return ImageFormat_Unknown;
+}
+
++ (BOOL)ows_areByteArraysEqual:(NSUInteger)length left:(unsigned char *)left right:(unsigned char *)right
+{
+    for (NSUInteger i = 0; i < length; i++) {
+        if (left[i] != right[i]) {
+            return NO;
+        }
+    }
+    return YES;
+}
+
+// Parse the GIF header to prevent the "GIF of death" issue.
+//
+// See: https://blog.flanker017.me/cve-2017-2416-gif-remote-exec/
+// See: https://www.w3.org/Graphics/GIF/spec-gif89a.txt
+- (BOOL)ows_hasValidGifSize
+{
+    const NSUInteger kSignatureLength = 3;
+    const NSUInteger kVersionLength = 3;
+    const NSUInteger kWidthLength = 2;
+    const NSUInteger kHeightLength = 2;
+    const NSUInteger kPrefixLength = kSignatureLength + kVersionLength;
+    const NSUInteger kBufferLength = kSignatureLength + kVersionLength + kWidthLength + kHeightLength;
+
+    if (self.length < kBufferLength) {
+        return NO;
+    }
+
+    unsigned char bytes[kBufferLength];
+    [self getBytes:&bytes range:NSMakeRange(0, kBufferLength)];
+
+    unsigned char kGif87APrefix[kPrefixLength] = {
+        0x47, 0x49, 0x46, 0x38, 0x37, 0x61,
+    };
+    unsigned char kGif89APrefix[kPrefixLength] = {
+        0x47, 0x49, 0x46, 0x38, 0x39, 0x61,
+    };
+    if (![NSData ows_areByteArraysEqual:kPrefixLength left:bytes right:kGif87APrefix]
+        && ![NSData ows_areByteArraysEqual:kPrefixLength left:bytes right:kGif89APrefix]) {
+        return NO;
+    }
+    NSUInteger width = ((NSUInteger)bytes[kPrefixLength + 0]) | (((NSUInteger)bytes[kPrefixLength + 1] << 8));
+    NSUInteger height = ((NSUInteger)bytes[kPrefixLength + 2]) | (((NSUInteger)bytes[kPrefixLength + 3] << 8));
+
+    // We need to ensure that the image size is "reasonable".
+    // We impose an arbitrary "very large" limit on image size
+    // to eliminate harmful values.
+    const NSUInteger kMaxValidSize = 1 << 18;
+
+    return (width > 0 && width < kMaxValidSize && height > 0 && height < kMaxValidSize);
+}
+
+#pragma mark - Logging
+
++ (NSString *)tag
+{
+    return [NSString stringWithFormat:@"[%@]", self.class];
+}
+
+- (NSString *)tag
+{
+    return self.class.tag;
+}
+
+@end

SignalServiceKit/src/Util/UIImage+contentTypes.h

@@ -1,16 +0,0 @@
-//
-//  UIImage+contentTypes.h
-//  Signal
-//
-//  Created by Frederic Jacobs on 21/12/14.
-//  Copyright (c) 2014 Open Whisper Systems. All rights reserved.
-//
-
-#import <UIKit/UIKit.h>
-
-@interface UIImage (contentTypes)
-
-- (NSString *)contentType;
-- (BOOL)isSupportedImageType;
-
-@end

SignalServiceKit/src/Util/UIImage+contentTypes.m

@@ -1,34 +0,0 @@
-//  Created by Frederic Jacobs on 21/12/14.
-//  Copyright (c) 2014 Open Whisper Systems. All rights reserved.
-
-#import "MIMETypeUtil.h"
-#import "UIImage+contentTypes.h"
-
-@implementation UIImage (contentTypes)
-
-- (NSString *)contentType {
-    uint8_t c;
-    [UIImagePNGRepresentation(self) getBytes:&c length:1];
-
-    switch (c) {
-        case 0xFF:
-            return @"image/jpeg";
-        case 0x89:
-            return OWSMimeTypeImagePng;
-        case 0x47:
-            return @"image/gif";
-        case 0x49:
-            break;
-        case 0x42:
-            return @"image/bmp";
-        case 0x4D:
-            return @"image/tiff";
-    }
-    return nil;
-}
-
-- (BOOL)isSupportedImageType {
-    return ([self contentType] ? YES : NO);
-}
-
-@end