From 3ab66efcfed82d4ceb2e945586a07062983732aa Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 5 Sep 2018 20:36:37 +0200
Subject: [PATCH] update: max image size of 16 mil pixels to stop image bomb
 attacks

closes #555
---
 fdroidserver/update.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/fdroidserver/update.py b/fdroidserver/update.py
index 635f48ee..740ff6e2 100644
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@@ -23,8 +23,10 @@ import sys
 import os
 import shutil
 import glob
+import logging
 import re
 import socket
+import warnings
 import zipfile
 import hashlib
 import json
@@ -36,9 +38,6 @@ from argparse import ArgumentParser
 import collections
 from binascii import hexlify
 
-from PIL import Image, PngImagePlugin
-import logging
-
 from . import _
 from . import common
 from . import index
@@ -46,6 +45,10 @@ from . import metadata
 from .common import SdkToolsPopen
 from .exception import BuildException, FDroidException
 
+from PIL import Image, PngImagePlugin
+warnings.simplefilter('error', Image.DecompressionBombWarning)
+Image.MAX_IMAGE_PIXELS = 0xffffff  # 4096x4096
+
 METADATA_VERSION = 20
 
 # less than the valid range of versionCode, i.e. Java's Integer.MIN_VALUE