fix CI

Sayan Shaw · Sayan Shaw · commit f215c23649c2 · 2026-03-23T11:53:51.000-07:00
diff --git a/operators/vision/image_decoder_darwin.hpp b/operators/vision/image_decoder_darwin.hpp
@@ -82,6 +82,16 @@ struct DecodeImage {
     const int64_t height = static_cast<int64_t>(CGImageGetHeight(image));
     const int64_t channels = 3;
 
+    // Add dimension limit to prevent decompression bombs
+    static constexpr int64_t kMaxImageDimension = 16384;
+    static constexpr int64_t kMaxPixelCount = 100 * 1024 * 1024;  // 100 megapixels
+    if (width > kMaxImageDimension || height > kMaxImageDimension ||
+        width * height > kMaxPixelCount) {
+      CGImageRelease(image);
+      return {kOrtxErrorInvalidArgument,
+              "[ImageDecoder]: Image dimensions exceed maximum allowed size."};
+    }
+
     std::vector<int64_t> output_dimensions{height, width, channels};
     uint8_t* decoded_image_data = output.Allocate(output_dimensions);
 
diff --git a/operators/vision/image_decoder_win32.hpp b/operators/vision/image_decoder_win32.hpp
@@ -111,6 +111,15 @@ struct DecodeImage {
     const int width = static_cast<int>(uiWidth);
     const int channels = 3;  // Asks for RGB
 
+    // Add dimension limit to prevent decompression bombs
+    static constexpr UINT kMaxImageDimension = 16384;
+    static constexpr uint64_t kMaxPixelCount = 100 * 1024 * 1024;  // 100 megapixels
+    if (uiWidth > kMaxImageDimension || uiHeight > kMaxImageDimension ||
+        static_cast<uint64_t>(uiWidth) * uiHeight > kMaxPixelCount) {
+      return {kOrtxErrorInvalidArgument,
+              "[ImageDecoder]: Image dimensions exceed maximum allowed size."};
+    }
+
     // Security: reject CMYK pixel formats (e.g. CMYK JPEGs) before silent conversion.
     // WICConvertBitmapSource can silently convert CMYK→RGB, hiding the 4-channel shape from
     // downstream consumers that assume 3 channels, enabling heap overflow (CWE-122).
