safe_image 0.1.0 → 0.2.0

data/lib/safe_image/fonts/DEJAVU-LICENSE

@@ -0,0 +1,187 @@
+Fonts are (c) Bitstream (see below). DejaVu changes are in public domain.
+Glyphs imported from Arev fonts are (c) Tavmjong Bah (see below)
+
+
+Bitstream Vera Fonts Copyright
+------------------------------
+
+Copyright (c) 2003 by Bitstream, Inc. All Rights Reserved. Bitstream Vera is
+a trademark of Bitstream, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of the fonts accompanying this license ("Fonts") and associated
+documentation files (the "Font Software"), to reproduce and distribute the
+Font Software, including without limitation the rights to use, copy, merge,
+publish, distribute, and/or sell copies of the Font Software, and to permit
+persons to whom the Font Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright and trademark notices and this permission notice shall
+be included in all copies of one or more of the Font Software typefaces.
+
+The Font Software may be modified, altered, or added to, and in particular
+the designs of glyphs or characters in the Fonts may be modified and
+additional glyphs or characters may be added to the Fonts, only if the fonts
+are renamed to names not containing either the words "Bitstream" or the word
+"Vera".
+
+This License becomes null and void to the extent applicable to Fonts or Font
+Software that has been modified and is distributed under the "Bitstream
+Vera" names.
+
+The Font Software may be sold as part of a larger software package but no
+copy of one or more of the Font Software typefaces may be sold by itself.
+
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF COPYRIGHT, PATENT,
+TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL BITSTREAM OR THE GNOME
+FOUNDATION BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, INCLUDING
+ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
+THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM OTHER DEALINGS IN THE
+FONT SOFTWARE.
+
+Except as contained in this notice, the names of Gnome, the Gnome
+Foundation, and Bitstream Inc., shall not be used in advertising or
+otherwise to promote the sale, use or other dealings in this Font Software
+without prior written authorization from the Gnome Foundation or Bitstream
+Inc., respectively. For further information, contact: fonts at gnome dot
+org.
+
+Arev Fonts Copyright
+------------------------------
+
+Copyright (c) 2006 by Tavmjong Bah. All Rights Reserved.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the fonts accompanying this license ("Fonts") and
+associated documentation files (the "Font Software"), to reproduce
+and distribute the modifications to the Bitstream Vera Font Software,
+including without limitation the rights to use, copy, merge, publish,
+distribute, and/or sell copies of the Font Software, and to permit
+persons to whom the Font Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright and trademark notices and this permission notice
+shall be included in all copies of one or more of the Font Software
+typefaces.
+
+The Font Software may be modified, altered, or added to, and in
+particular the designs of glyphs or characters in the Fonts may be
+modified and additional glyphs or characters may be added to the
+Fonts, only if the fonts are renamed to names not containing either
+the words "Tavmjong Bah" or the word "Arev".
+
+This License becomes null and void to the extent applicable to Fonts
+or Font Software that has been modified and is distributed under the 
+"Tavmjong Bah Arev" names.
+
+The Font Software may be sold as part of a larger software package but
+no copy of one or more of the Font Software typefaces may be sold by
+itself.
+
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL
+TAVMJONG BAH BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.
+
+Except as contained in this notice, the name of Tavmjong Bah shall not
+be used in advertising or otherwise to promote the sale, use or other
+dealings in this Font Software without prior written authorization
+from Tavmjong Bah. For further information, contact: tavmjong @ free
+. fr.
+
+TeX Gyre DJV Math
+-----------------
+Fonts are (c) Bitstream (see below). DejaVu changes are in public domain.
+
+Math extensions done by B. Jackowski, P. Strzelczyk and P. Pianowski
+(on behalf of TeX users groups) are in public domain.
+
+Letters imported from Euler Fraktur from AMSfonts are (c) American
+Mathematical Society (see below).
+Bitstream Vera Fonts Copyright
+Copyright (c) 2003 by Bitstream, Inc. All Rights Reserved. Bitstream Vera
+is a trademark of Bitstream, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of the fonts accompanying this license (“Fonts”) and associated
+documentation
+files (the “Font Software”), to reproduce and distribute the Font Software,
+including without limitation the rights to use, copy, merge, publish,
+distribute,
+and/or sell copies of the Font Software, and to permit persons  to whom
+the Font Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright and trademark notices and this permission notice
+shall be
+included in all copies of one or more of the Font Software typefaces.
+
+The Font Software may be modified, altered, or added to, and in particular
+the designs of glyphs or characters in the Fonts may be modified and
+additional
+glyphs or characters may be added to the Fonts, only if the fonts are
+renamed
+to names not containing either the words “Bitstream” or the word “Vera”.
+
+This License becomes null and void to the extent applicable to Fonts or
+Font Software
+that has been modified and is distributed under the “Bitstream Vera”
+names.
+
+The Font Software may be sold as part of a larger software package but
+no copy
+of one or more of the Font Software typefaces may be sold by itself.
+
+THE FONT SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF COPYRIGHT, PATENT,
+TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL BITSTREAM OR THE GNOME
+FOUNDATION
+BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL,
+SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WHETHER IN AN
+ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF THE USE OR
+INABILITY TO USE
+THE FONT SOFTWARE OR FROM OTHER DEALINGS IN THE FONT SOFTWARE.
+Except as contained in this notice, the names of GNOME, the GNOME
+Foundation,
+and Bitstream Inc., shall not be used in advertising or otherwise to promote
+the sale, use or other dealings in this Font Software without prior written
+authorization from the GNOME Foundation or Bitstream Inc., respectively.
+For further information, contact: fonts at gnome dot org.
+
+AMSFonts (v. 2.2) copyright
+
+The PostScript Type 1 implementation of the AMSFonts produced by and
+previously distributed by Blue Sky Research and Y&Y, Inc. are now freely
+available for general use. This has been accomplished through the
+cooperation
+of a consortium of scientific publishers with Blue Sky Research and Y&Y.
+Members of this consortium include:
+
+Elsevier Science IBM Corporation Society for Industrial and Applied
+Mathematics (SIAM) Springer-Verlag American Mathematical Society (AMS)
+
+In order to assure the authenticity of these fonts, copyright will be
+held by
+the American Mathematical Society. This is not meant to restrict in any way
+the legitimate use of the fonts, such as (but not limited to) electronic
+distribution of documents containing these fonts, inclusion of these fonts
+into other public domain or commercial font collections or computer
+applications, use of the outline data to create derivative fonts and/or
+faces, etc. However, the AMS does require that the AMS copyright notice be
+removed from any derivative versions of the fonts which have been altered in
+any way. In addition, to ensure the fidelity of TeX documents using Computer
+Modern fonts, Professor Donald Knuth, creator of the Computer Modern faces,
+has requested that any alterations which yield different font metrics be
+given a different name.
+
+$Id$

data/lib/safe_image/ico.rb

@@ -0,0 +1,286 @@
+# frozen_string_literal: true
+
+require "tempfile"
+
+module SafeImage
+  # Pure-Ruby ICO container support, in the spirit of the REXML SVG path:
+  # the directory and legacy DIB payloads are parsed in memory-safe Ruby with
+  # explicit bounds checks, and pixel encoding is delegated to the hardened
+  # native libvips helpers. ImageMagick is never involved.
+  #
+  # PNG payloads (every modern favicon) are re-encoded through the native
+  # libvips PNG path rather than copied through verbatim, so output never
+  # contains attacker-controlled bytes. DIB payloads support the formats that
+  # exist in the wild: uncompressed BI_RGB at 1/4/8/24/32 bits per pixel plus
+  # the 1-bit AND transparency mask.
+  module Ico
+    module_function
+
+    MAX_BYTES = 5 * 1024 * 1024
+    MAX_ENTRIES = 256
+    # The directory caps entry dimensions at 256 (a stored 0 means 256); a DIB
+    # header claiming more is lying about the payload.
+    MAX_DIB_DIMENSION = 256
+    PNG_MAGIC = "\x89PNG\r\n\x1a\n".b.freeze
+    BI_RGB = 0
+
+    Entry = Data.define(:width, :height, :bpp, :offset, :size, :png)
+
+    def probe(path, max_pixels: nil)
+      started = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      data, entries = parse(path)
+      entry = largest(entries)
+      width, height = entry_dimensions(data, entry)
+      validate_pixels!(width, height, max_pixels)
+      {
+        width: width,
+        height: height,
+        frames: entries.length,
+        duration_ms: (Process.clock_gettime(Process::CLOCK_MONOTONIC) - started) * 1000
+      }
+    end
+
+    def frame_count(path, max_pixels: nil)
+      probe(path, max_pixels: max_pixels).fetch(:frames)
+    end
+
+    # Extracts the largest icon and writes it as PNG. Returns an info hash in
+    # the shape DiscourseCompat.result_from_info expects.
+    def convert_to_png(input, output, max_pixels: nil)
+      started = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+      data, entries = parse(input)
+      entry = largest(entries)
+      output = PathSafety.ensure_safe_output_path!(output).to_s
+
+      width = height = nil
+      if entry.png
+        # Enforce the pixel cap from the IHDR dimensions before the payload
+        # reaches a decoder.
+        validate_pixels!(*entry_dimensions(data, entry), max_pixels)
+        payload = data.byteslice(entry.offset, entry.size)
+        Tempfile.create(["safe-image-ico", ".png"]) do |tmp|
+          tmp.binmode
+          tmp.write(payload)
+          tmp.close
+          # Sanitizing no-op resize: validates the PNG bytes, enforces the
+          # pixel cap and strips metadata on the way through libvips.
+          info = Native.resize(tmp.path, output, 1.0, "png", 100, max_pixels)
+          width = info.fetch(:width)
+          height = info.fetch(:height)
+        end
+      else
+        rgba, width, height = decode_rgba(data, entry)
+        validate_pixels!(width, height, max_pixels)
+        Native.png_from_rgba(rgba, width, height, output)
+      end
+
+      {
+        input_format: "ico",
+        output_format: "png",
+        width: width,
+        height: height,
+        duration_ms: (Process.clock_gettime(Process::CLOCK_MONOTONIC) - started) * 1000
+      }
+    end
+
+    def dominant_color(path, max_pixels: nil)
+      Tempfile.create(["safe-image-ico", ".png"]) do |tmp|
+        tmp.close
+        convert_to_png(path, tmp.path, max_pixels: max_pixels)
+        VipsBackend.dominant_color(tmp.path, max_pixels: max_pixels)
+      end
+    end
+
+    # -- container parsing ---------------------------------------------------
+
+    def parse(path)
+      path = PathSafety.ensure_regular_file!(path).to_s
+      size = File.size(path)
+      raise LimitError, "ico file has #{size} bytes, exceeds #{MAX_BYTES}" if size > MAX_BYTES
+      raise InvalidImageError, "ico file is truncated" if size < 6 + 16
+
+      data = File.binread(path)
+      reserved, type, count = data.unpack("vvv")
+      raise InvalidImageError, "not an ico file" unless reserved == 0 && type == 1
+      raise InvalidImageError, "ico directory is empty" if count.zero?
+      raise LimitError, "ico has #{count} entries, exceeds #{MAX_ENTRIES}" if count > MAX_ENTRIES
+
+      entries =
+        count.times.map do |index|
+          dir_offset = 6 + index * 16
+          raise InvalidImageError, "ico directory is truncated" if data.bytesize < dir_offset + 16
+
+          w8, h8, _colors, _reserved, _planes, bpp, bytes, img_offset =
+            data.byteslice(dir_offset, 16).unpack("CCCCvvVV")
+          if bytes < 16 || img_offset < 6 + count * 16 || img_offset + bytes > data.bytesize
+            raise InvalidImageError, "ico entry #{index} is out of bounds"
+          end
+
+          Entry.new(
+            width: w8.zero? ? 256 : w8,
+            height: h8.zero? ? 256 : h8,
+            bpp: bpp,
+            offset: img_offset,
+            size: bytes,
+            png: data.byteslice(img_offset, 8) == PNG_MAGIC
+          )
+        end
+
+      [data, entries]
+    end
+
+    def largest(entries)
+      entries.max_by { |entry| [entry.width * entry.height, entry.bpp] }
+    end
+
+    # PNG payloads carry their real dimensions in the IHDR chunk; the
+    # one-byte directory fields saturate at 256.
+    def entry_dimensions(data, entry)
+      return [entry.width, entry.height] unless entry.png
+      raise InvalidImageError, "png payload is truncated" if entry.size < 24
+      data.byteslice(entry.offset + 16, 8).unpack("NN")
+    end
+
+    def validate_pixels!(width, height, max_pixels)
+      raise InvalidImageError, "ico has invalid dimensions" if width.nil? || height.nil? || width < 1 || height < 1
+      limit = max_pixels ? Integer(max_pixels) : DEFAULT_MAX_PIXELS
+      pixels = width * height
+      raise LimitError, "image has #{pixels} pixels, exceeds #{limit}" if pixels > limit
+    end
+
+    # -- DIB payload decoding ------------------------------------------------
+
+    # Decodes a BITMAPINFOHEADER payload (XOR bitmap + 1-bit AND mask) into a
+    # top-down RGBA buffer. Returns [rgba_bytes, width, height].
+    def decode_rgba(data, entry)
+      payload = data.byteslice(entry.offset, entry.size)
+      raise InvalidImageError, "dib payload is truncated" if payload.bytesize < 40
+
+      header_size, width, height2, _planes, bpp, compression, _img_size, _xppm, _yppm, colors_used =
+        payload.unpack("Vl<l<vvVVl<l<V")
+      raise InvalidImageError, "unsupported dib header (size #{header_size})" if header_size != 40
+      raise InvalidImageError, "unsupported dib compression #{compression}" unless compression == BI_RGB
+      raise InvalidImageError, "unsupported dib bit depth #{bpp}" unless [1, 4, 8, 24, 32].include?(bpp)
+
+      top_down = height2.negative?
+      height = height2.abs / 2
+      if width < 1 || height < 1 || width > MAX_DIB_DIMENSION || height > MAX_DIB_DIMENSION || height2.abs.odd?
+        raise InvalidImageError, "dib dimensions are invalid (#{width}x#{height2})"
+      end
+
+      palette = []
+      palette_offset = header_size
+      if bpp <= 8
+        palette_count = colors_used.zero? ? (1 << bpp) : colors_used
+        raise InvalidImageError, "dib palette is invalid" if palette_count > 1 << bpp
+        raise InvalidImageError, "dib palette is truncated" if payload.bytesize < palette_offset + palette_count * 4
+        palette = payload.byteslice(palette_offset, palette_count * 4).unpack("C*").each_slice(4).map do |b, g, r, _x|
+          [r, g, b]
+        end
+        palette_offset += palette_count * 4
+      end
+
+      xor_stride = ((width * bpp + 31) / 32) * 4
+      and_stride = ((width + 31) / 32) * 4
+      xor_bytes = xor_stride * height
+      and_bytes = and_stride * height
+      raise InvalidImageError, "dib pixel data is truncated" if payload.bytesize < palette_offset + xor_bytes + and_bytes
+
+      xor_data = payload.byteslice(palette_offset, xor_bytes)
+      and_data = payload.byteslice(palette_offset + xor_bytes, and_bytes)
+
+      rgba =
+        if bpp == 32
+          decode_32bpp(xor_data, and_data, width, height, and_stride, top_down)
+        else
+          decode_low_bpp(xor_data, and_data, palette, width, height, bpp, xor_stride, and_stride, top_down)
+        end
+
+      [rgba, width, height]
+    end
+
+    # 32bpp is the format every real-world DIB favicon uses, so it gets a
+    # bulk path: reorder rows with byteslice, then swap BGRA to RGBA in one
+    # unpack/map!/pack pass. Reading big-endian makes the swap a single
+    # rotate-right-by-8.
+    def decode_32bpp(xor_data, and_data, width, height, and_stride, top_down)
+      stride = width * 4
+      unless top_down
+        xor_data = (0...height).map { |y| xor_data.byteslice((height - 1 - y) * stride, stride) }.join
+      end
+      pixels = xor_data.unpack("N*")
+
+      if alpha_all_zero?(xor_data)
+        # Pre-alpha icons leave every alpha byte zero and rely on the 1-bit
+        # AND mask (the Windows convention). A mask with no set bits means
+        # fully opaque, which bulk-converts; otherwise the rotated pixel
+        # keeps alpha 0 and only unmasked pixels need the opaque byte set.
+        if and_data.count("\x00") == and_data.bytesize
+          pixels.map! { |x| (x >> 8) | 0xFF000000 }
+        else
+          i = 0
+          height.times do |out_y|
+            mask_offset = (top_down ? out_y : height - 1 - out_y) * and_stride
+            width.times do |x|
+              value = pixels[i] >> 8
+              value |= 0xFF000000 if (and_data.getbyte(mask_offset + (x >> 3)) & (0x80 >> (x & 7))).zero?
+              pixels[i] = value
+              i += 1
+            end
+          end
+        end
+      else
+        pixels.map! { |x| (x >> 8) | ((x & 0xFF) << 24) }
+      end
+
+      pixels.pack("V*")
+    end
+
+    def decode_low_bpp(xor_data, and_data, palette, width, height, bpp, xor_stride, and_stride, top_down)
+      # Precomputed 4-byte RGBA chunks per palette entry (opaque and masked
+      # variants) turn the pixel body into a single string append.
+      if bpp <= 8
+        opaque = palette.map { |r, g, b| [r, g, b, 255].pack("C4") }
+        transparent = palette.map { |r, g, b| [r, g, b, 0].pack("C4") }
+      end
+
+      rgba = String.new(capacity: width * height * 4, encoding: Encoding::BINARY)
+      height.times do |out_y|
+        src_y = top_down ? out_y : height - 1 - out_y
+        xor_row = xor_data.byteslice(src_y * xor_stride, xor_stride)
+        and_row = and_data.byteslice(src_y * and_stride, and_stride)
+        width.times do |x|
+          masked = (and_row.getbyte(x >> 3) & (0x80 >> (x & 7))).positive?
+          if bpp == 24
+            b = xor_row.getbyte(x * 3)
+            g = xor_row.getbyte(x * 3 + 1)
+            r = xor_row.getbyte(x * 3 + 2)
+            rgba << r << g << b << (masked ? 0 : 255)
+            next
+          end
+
+          index =
+            case bpp
+            when 8 then xor_row.getbyte(x)
+            when 4 then (byte = xor_row.getbyte(x >> 1)
+                         x.even? ? byte >> 4 : byte & 0x0F)
+            else (xor_row.getbyte(x >> 3) >> (7 - (x & 7))) & 1
+            end
+          rgba << (masked ? transparent : opaque).fetch(index) do
+            raise InvalidImageError, "dib palette index #{index} is out of range"
+          end
+        end
+      end
+      rgba
+    end
+
+    # Possessive quantifier: the regex engine scans 4-byte groups in C with
+    # no backtracking, so the worst case (an all-zero legacy icon) stays
+    # sub-millisecond where a getbyte loop takes milliseconds.
+    ALPHA_ALL_ZERO = /\A(?:.{3}\x00)*+\z/mn
+
+    def alpha_all_zero?(xor_data)
+      xor_data.match?(ALPHA_ALL_ZERO)
+    end
+  end
+end

data/lib/safe_image/image_magick_backend.rb

@@ -14,7 +14,8 @@ module SafeImage
       "heic" => "heic",
       "heif" => "heic",
       "avif" => "heic",
-      "ico" => "ico"
+      "ico" => "ico",
+      "jxl" => "jxl"
     }.freeze
 
     IMAGEMAGICK_LIMIT_ARGS = [
@@ -167,6 +168,38 @@ module SafeImage
       1
     end
 
+    # Averages the whole image down to one pixel and reports it as an RRGGBB
+    # hex string, mirroring Discourse's Upload#calculate_dominant_color!.
+    def dominant_color(path, timeout: Runner::DEFAULT_TIMEOUT)
+      command = convert_command
+      path = PathSafety.ensure_imagemagick_input_file!(path)
+      ext = File.extname(path).delete_prefix(".").downcase
+      decoder = DECODERS.fetch(ext) { raise UnsupportedFormatError, "unsupported ImageMagick input format: #{ext.inspect}" }
+      stdout, = Runner.run!(
+        [
+          command, *IMAGEMAGICK_LIMIT_ARGS, "#{decoder}:#{path}[0]",
+          "-depth", "8",
+          "-resize", "1x1",
+          "-define", "histogram:unique-colors=true",
+          "-format", "%c",
+          "histogram:info:"
+        ],
+        timeout: timeout
+      )
+
+      # Typical output: `1: (110,116,93) #6F745E srgb(110,116,93)`. Alpha adds
+      # two more hex digits; grayscale images report one channel (two digits,
+      # four with alpha) instead of three.
+      digits = stdout[/#(\h+)/, 1]
+      hex =
+        case digits&.length
+        when 6, 8 then digits[0, 6]
+        when 2, 4 then digits[0, 2] * 3
+        end
+      raise InvalidImageError, "could not parse dominant color from ImageMagick output: #{stdout.strip.inspect}" if hex.nil?
+      hex.upcase
+    end
+
     def letter_avatar(output:, size:, background_rgb:, letter:, pointsize:, font: "NimbusSans-Regular", timeout: Runner::DEFAULT_TIMEOUT)
       command = convert_command
       output = PathSafety.ensure_safe_output_path!(output).to_s
@@ -216,7 +249,8 @@ module SafeImage
         "gif" => "gif",
         "webp" => "webp",
         "avif" => "avif",
-        "ico" => "ico"
+        "ico" => "ico",
+        "jxl" => "jxl"
       }.fetch(normalized) { raise UnsupportedFormatError, "unsupported ImageMagick output format: #{normalized.inspect}" }
       "#{coder}:#{output}"
     end
@@ -250,7 +284,9 @@ module SafeImage
       Runner.run!(argv, timeout: timeout)
       duration_ms = (Process.clock_gettime(Process::CLOCK_MONOTONIC) - started) * 1000
 
-      info = Native.probe(output)
+      # Output dimensions via the fast native header read, or identify when
+      # libvips is not installed (this backend must work without it).
+      info = VipsGlue.available? ? Native.probe(output) : probe(output)
       {
         input_format: input_format == "jpeg" ? "jpg" : input_format,
         output_format: output_format == "jpeg" ? "jpg" : output_format,

data/lib/safe_image/imagemagick_policy/policy.xml

@@ -6,7 +6,14 @@
   <policy domain="path" rights="none" pattern="@*" />
 
   <policy domain="coder" rights="none" pattern="*" />
-  <policy domain="coder" rights="read|write" pattern="{JPEG,JPG,PNG,GIF,WEBP,HEIC,HEIF,AVIF,ICO,ICC,ICM,XC}" />
+  <policy domain="coder" rights="read|write" pattern="{JPEG,JPG,PNG,GIF,WEBP,HEIC,HEIF,AVIF,ICO,ICC,ICM,XC,JXL}" />
+
+  <!-- Output-only coders for dominant_color, which writes the histogram
+       colour summary to stdout via histogram-to-info output. Write rights
+       only; neither is a decodable input format. NOTE: ImageMagick parses
+       this file with a hand-rolled tokenizer, not an XML parser; a backtick
+       or apostrophe in a comment silently truncates the policy here. -->
+  <policy domain="coder" rights="write" pattern="{HISTOGRAM,INFO}" />
 
   <!-- Ghostscript-backed / document / vector-ish formats: deny explicitly even
        if a broader system policy is present. -->

data/lib/safe_image/jpegli_backend.rb

@@ -65,7 +65,9 @@ module SafeImage
         raise Error, "cjpegli did not create output" unless tmp_path.file? && File.size(tmp_path).positive?
         FileUtils.mv(tmp_path, output_path)
 
-        info = Native.probe(output_path.to_s)
+        # cjpegli works without libvips; fall back to identify for the
+        # output dimensions when the native header read is unavailable.
+        info = VipsGlue.available? ? Native.probe(output_path.to_s) : ImageMagickBackend.probe(output_path.to_s)
         {
           input_format: input_format,
           output_format: "jpg",