@dcl/content-validator 7.1.5 → 7.2.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/dist/image-metadata.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Minimal image-metadata reader used by thumbnail validations.
+ *
+ * The library only needs to know the format ("png" vs anything else) and the
+ * pixel dimensions to enforce the catalyst thumbnail rules. We deliberately
+ * avoid pulling in `sharp` for that — a full image pipeline with native
+ * bindings is overkill for a header read, and ships a multi-MB libvips that
+ * needs an extra system dependency on every CI runner.
+ *
+ * Beyond reading dimensions, the reader applies structural sanity checks per
+ * format: PNG chunk-chain integrity (single IHDR, terminating IEND, no
+ * trailing data, spec-allowed bit-depth/color-type combination), JPEG
+ * EOI termination, WebP RIFF chunk-size match, and a uniform "non-zero,
+ * non-negative dimensions" contract on the returned width/height.
+ */
+/**
+ * Image formats recognised by {@link readImageMetadata}.
+ *
+ * The reader detects each format by its magic bytes and validates the
+ * minimum structural invariants needed to extract dimensions safely.
+ * @public
+ */
+export type ImageFormat = 'png' | 'jpeg' | 'webp' | 'gif' | 'bmp';
+/**
+ * Header-derived dimensions and format of an image.
+ *
+ * Width and height are guaranteed to be positive integers — the reader
+ * throws rather than returning zero, negative, or non-integer values.
+ * @public
+ */
+export interface ImageMetadata {
+    format: ImageFormat;
+    width: number;
+    height: number;
+}
+/**
+ * Reads the format and pixel dimensions of a recognised image buffer.
+ *
+ * Recognises PNG, JPEG, WebP, GIF, and BMP by their magic bytes. The library
+ * only enforces a PNG-format check on top of this, but recognising the other
+ * common formats means a user uploading a JPEG/WebP/GIF/BMP thumbnail gets
+ * the precise "Invalid format" error instead of a generic parse failure.
+ *
+ * Throws if the buffer is not a recognised, structurally-valid image with
+ * non-zero, non-negative dimensions. Callers are expected to wrap calls in
+ * try/catch to translate the throw into a "couldn't parse" validation error.
+ * @public
+ */
+export declare function readImageMetadata(input: Uint8Array): ImageMetadata;
+//# sourceMappingURL=image-metadata.d.ts.map

package/dist/image-metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"image-metadata.d.ts","sourceRoot":"","sources":["../src/image-metadata.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AA+CH;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,GAAG,KAAK,GAAG,KAAK,CAAA;AAEjE;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,WAAW,CAAA;IACnB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,CAAA;CACf;AAYD;;;;;;;;;;;;GAYG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,UAAU,GAAG,aAAa,CAmBlE"}

package/dist/image-metadata.js

@@ -0,0 +1,407 @@
+"use strict";
+/**
+ * Minimal image-metadata reader used by thumbnail validations.
+ *
+ * The library only needs to know the format ("png" vs anything else) and the
+ * pixel dimensions to enforce the catalyst thumbnail rules. We deliberately
+ * avoid pulling in `sharp` for that — a full image pipeline with native
+ * bindings is overkill for a header read, and ships a multi-MB libvips that
+ * needs an extra system dependency on every CI runner.
+ *
+ * Beyond reading dimensions, the reader applies structural sanity checks per
+ * format: PNG chunk-chain integrity (single IHDR, terminating IEND, no
+ * trailing data, spec-allowed bit-depth/color-type combination), JPEG
+ * EOI termination, WebP RIFF chunk-size match, and a uniform "non-zero,
+ * non-negative dimensions" contract on the returned width/height.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readImageMetadata = readImageMetadata;
+const PNG_SIGNATURE = Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]);
+const PNG_IHDR_BYTES = Buffer.from('IHDR', 'ascii');
+const PNG_IEND_BYTES = Buffer.from('IEND', 'ascii');
+const PNG_IHDR_CHUNK_LENGTH = 13;
+const PNG_FIRST_CHUNK_END = 33; // 8 (signature) + 4 (length) + 4 (type) + 13 (IHDR data) + 4 (CRC)
+const PNG_CHUNK_OVERHEAD = 12; // length(4) + type(4) + crc(4)
+// PNG spec (ISO/IEC 15948 §5.3): chunk lengths shall not exceed 2^31-1 bytes
+// even though the wire field is 4 bytes. Anything above that is a parser
+// differential — some readers reject, some accept the high bit silently.
+const PNG_MAX_CHUNK_LENGTH = 0x7fffffff;
+// Spec-permitted bit-depth + color-type combinations (PNG, ISO/IEC 15948, §11.2.2).
+const PNG_VALID_BIT_DEPTHS_BY_COLOR_TYPE = {
+    0: [1, 2, 4, 8, 16], // Grayscale
+    2: [8, 16], // Truecolor (RGB)
+    3: [1, 2, 4, 8], // Indexed-colour (Palette)
+    4: [8, 16], // Greyscale + Alpha
+    6: [8, 16] // Truecolor + Alpha (RGBA)
+};
+const WEBP_RIFF_BYTES = Buffer.from('RIFF', 'ascii');
+const WEBP_WEBP_BYTES = Buffer.from('WEBP', 'ascii');
+const WEBP_VP8_BYTES = Buffer.from('VP8 ', 'ascii');
+const WEBP_VP8L_BYTES = Buffer.from('VP8L', 'ascii');
+const WEBP_VP8X_BYTES = Buffer.from('VP8X', 'ascii');
+const GIF87A_BYTES = Buffer.from('GIF87a', 'ascii');
+const GIF89A_BYTES = Buffer.from('GIF89a', 'ascii');
+const JPEG_EOI_BYTE_1 = 0xff;
+const JPEG_EOI_BYTE_2 = 0xd9;
+/**
+ * Compare a slice of `buffer` to `expected` using byte-exact equality.
+ *
+ * Buffer.toString('ascii') masks the high bit of each byte before decoding,
+ * so a chunk type stored as e.g. [0x49, 0x48, 0xC4, 0x52] would otherwise
+ * decode as "IHDR" — a parser differential vs. real PNG/WebP/GIF readers.
+ * This helper is used everywhere a magic byte sequence or chunk identifier
+ * needs to be compared.
+ */
+function bufferEqualsAt(buffer, offset, expected) {
+    if (offset < 0 || offset + expected.length > buffer.length)
+        return false;
+    return buffer.subarray(offset, offset + expected.length).equals(expected);
+}
+// Display names used in user-facing error messages, matching the casing
+// produced by the format-specific validators (e.g. "Malformed PNG", "Malformed WebP").
+const FORMAT_DISPLAY_NAME = {
+    png: 'PNG',
+    jpeg: 'JPEG',
+    webp: 'WebP',
+    gif: 'GIF',
+    bmp: 'BMP'
+};
+/**
+ * Reads the format and pixel dimensions of a recognised image buffer.
+ *
+ * Recognises PNG, JPEG, WebP, GIF, and BMP by their magic bytes. The library
+ * only enforces a PNG-format check on top of this, but recognising the other
+ * common formats means a user uploading a JPEG/WebP/GIF/BMP thumbnail gets
+ * the precise "Invalid format" error instead of a generic parse failure.
+ *
+ * Throws if the buffer is not a recognised, structurally-valid image with
+ * non-zero, non-negative dimensions. Callers are expected to wrap calls in
+ * try/catch to translate the throw into a "couldn't parse" validation error.
+ * @public
+ */
+function readImageMetadata(input) {
+    // Reject SharedArrayBuffer-backed inputs: a concurrent writer could race the
+    // parser between length checks and reads (TOCTOU). The reader operates on
+    // bytes only; callers who need shared memory must copy into a regular
+    // ArrayBuffer first.
+    if (typeof SharedArrayBuffer !== 'undefined' && input.buffer instanceof SharedArrayBuffer) {
+        throw new Error('Image input must not be backed by a SharedArrayBuffer');
+    }
+    // Wrap as Buffer to access readUInt*BE / equals / toString without copying.
+    const buffer = Buffer.isBuffer(input) ? input : Buffer.from(input.buffer, input.byteOffset, input.byteLength);
+    let metadata;
+    if (isPng(buffer))
+        metadata = readPngMetadata(buffer);
+    else if (isJpeg(buffer))
+        metadata = readJpegMetadata(buffer);
+    else if (isWebp(buffer))
+        metadata = readWebpMetadata(buffer);
+    else if (isGif(buffer))
+        metadata = readGifMetadata(buffer);
+    else if (isBmp(buffer))
+        metadata = readBmpMetadata(buffer);
+    else
+        throw new Error('Unsupported image format');
+    assertPositiveDimensions(metadata);
+    return metadata;
+}
+function assertPositiveDimensions(metadata) {
+    const name = FORMAT_DISPLAY_NAME[metadata.format];
+    if (!Number.isInteger(metadata.width) || metadata.width <= 0) {
+        throw new Error(`Malformed ${name}: non-positive width ${metadata.width}`);
+    }
+    if (!Number.isInteger(metadata.height) || metadata.height <= 0) {
+        throw new Error(`Malformed ${name}: non-positive height ${metadata.height}`);
+    }
+}
+function isPng(buffer) {
+    // Require the full IHDR chunk (signature + 25-byte IHDR) to be present so
+    // readPngMetadata can safely read every IHDR field, including bit depth at
+    // byte 24 and color type at byte 25. A shorter buffer with the PNG signature
+    // is treated as unrecognised rather than as a truncated PNG.
+    return buffer.length >= PNG_FIRST_CHUNK_END && buffer.subarray(0, 8).equals(PNG_SIGNATURE);
+}
+function readPngMetadata(buffer) {
+    if (buffer.readUInt32BE(8) !== PNG_IHDR_CHUNK_LENGTH) {
+        throw new Error('Malformed PNG: IHDR chunk length is not 13');
+    }
+    if (!bufferEqualsAt(buffer, 12, PNG_IHDR_BYTES)) {
+        throw new Error('Malformed PNG: missing IHDR chunk');
+    }
+    const width = buffer.readUInt32BE(16);
+    const height = buffer.readUInt32BE(20);
+    validatePngBitDepthAndColorType(buffer.readUInt8(24), buffer.readUInt8(25));
+    validatePngIhdrMethods(buffer.readUInt8(26), buffer.readUInt8(27), buffer.readUInt8(28));
+    validatePngChunkChain(buffer);
+    return { format: 'png', width, height };
+}
+function validatePngBitDepthAndColorType(bitDepth, colorType) {
+    const allowed = PNG_VALID_BIT_DEPTHS_BY_COLOR_TYPE[colorType];
+    if (!allowed) {
+        throw new Error(`Malformed PNG: invalid color type ${colorType}`);
+    }
+    if (!allowed.includes(bitDepth)) {
+        throw new Error(`Malformed PNG: invalid bit depth ${bitDepth} for color type ${colorType}`);
+    }
+}
+function validatePngIhdrMethods(compression, filter, interlace) {
+    // Per PNG spec (ISO/IEC 15948 §11.2.2), only deflate (0) compression and
+    // filter method 0 are defined. Interlace must be 0 (none) or 1 (Adam7).
+    if (compression !== 0) {
+        throw new Error(`Malformed PNG: invalid compression method ${compression}`);
+    }
+    if (filter !== 0) {
+        throw new Error(`Malformed PNG: invalid filter method ${filter}`);
+    }
+    if (interlace !== 0 && interlace !== 1) {
+        throw new Error(`Malformed PNG: invalid interlace method ${interlace}`);
+    }
+}
+function validatePngChunkChain(buffer) {
+    // First chunk after the signature is IHDR (already validated by the caller).
+    // Walk subsequent chunks, requiring exactly one IEND that terminates the
+    // buffer. Reject duplicate IHDR chunks.
+    let i = PNG_FIRST_CHUNK_END;
+    while (i + PNG_CHUNK_OVERHEAD <= buffer.length) {
+        const chunkDataLength = buffer.readUInt32BE(i);
+        if (chunkDataLength > PNG_MAX_CHUNK_LENGTH) {
+            throw new Error('Malformed PNG: chunk length exceeds 2^31-1');
+        }
+        if (bufferEqualsAt(buffer, i + 4, PNG_IHDR_BYTES)) {
+            throw new Error('Malformed PNG: duplicate IHDR chunk');
+        }
+        if (bufferEqualsAt(buffer, i + 4, PNG_IEND_BYTES)) {
+            // IEND has zero-length data per ISO/IEC 15948. Validate both the
+            // declared length AND the chunk footprint: a file that declares a
+            // non-zero IEND length but only contains the 12-byte footprint would
+            // otherwise pass us while strict readers reject (they expect more
+            // bytes for IEND data + CRC).
+            if (chunkDataLength !== 0) {
+                throw new Error('Malformed PNG: IEND chunk must have zero length');
+            }
+            if (i + PNG_CHUNK_OVERHEAD !== buffer.length) {
+                throw new Error('Malformed PNG: data after IEND chunk');
+            }
+            return;
+        }
+        // Advance past this chunk: length(4) + type(4) + data(N) + crc(4).
+        i += PNG_CHUNK_OVERHEAD + chunkDataLength;
+    }
+    throw new Error('Malformed PNG: missing IEND chunk');
+}
+function isJpeg(buffer) {
+    return buffer.length >= 4 && buffer[0] === 0xff && buffer[1] === 0xd8 && buffer[2] === 0xff;
+}
+function readJpegMetadata(buffer) {
+    // The buffer must be terminated by an EOI marker (FF D9). This rejects
+    // truncated JPEGs and trailing-data polyglots.
+    if (buffer.length < 4 ||
+        buffer[buffer.length - 2] !== JPEG_EOI_BYTE_1 ||
+        buffer[buffer.length - 1] !== JPEG_EOI_BYTE_2) {
+        throw new Error('Malformed JPEG: missing EOI marker');
+    }
+    // JPEG is a chain of 0xFF-prefixed segments. Dimensions live in any of the
+    // SOFn (Start Of Frame) segments — markers 0xC0..0xCF except 0xC4 (DHT),
+    // 0xC8 (JPG, reserved), and 0xCC (DAC). The SOFn payload reads up to
+    // buffer[i + 8], so we need `i + 8 < buffer.length`.
+    let i = 2;
+    while (i < buffer.length - 8) {
+        if (buffer[i] !== 0xff) {
+            i++;
+            continue;
+        }
+        const marker = buffer[i + 1];
+        // Skip fill bytes (0xFF padding before a real marker).
+        if (marker === 0x00 || marker === 0xff) {
+            i++;
+            continue;
+        }
+        // Standalone markers have no length field. Advance past the marker only
+        // so we don't read the next two bytes as a bogus segment length and
+        // desynchronise the parser. TEM=0x01, RST0..7=0xD0..0xD7, SOI=0xD8,
+        // EOI=0xD9.
+        if (marker === 0x01 || (marker >= 0xd0 && marker <= 0xd9)) {
+            i += 2;
+            continue;
+        }
+        // SOS (Start Of Scan) marks the boundary between marker stream and
+        // entropy-coded image data. SOFn must appear before SOS in any valid
+        // JPEG; if we hit SOS without one, stop scanning rather than walk
+        // entropy data hunting for a 0xFF marker (which would be a false
+        // positive on improperly stuffed bytes).
+        if (marker === 0xda) {
+            break;
+        }
+        const isStartOfFrame = marker >= 0xc0 && marker <= 0xcf && marker !== 0xc4 && marker !== 0xc8 && marker !== 0xcc;
+        if (isStartOfFrame) {
+            // SOFn payload: [length:2][precision:1][height:2][width:2][...]
+            return {
+                format: 'jpeg',
+                height: buffer.readUInt16BE(i + 5),
+                width: buffer.readUInt16BE(i + 7)
+            };
+        }
+        // Loop invariant `i < buffer.length - 8` guarantees i+3 is in bounds,
+        // so the segment-length read below is always safe.
+        const segmentLength = buffer.readUInt16BE(i + 2);
+        if (segmentLength < 2)
+            break;
+        i += 2 + segmentLength;
+    }
+    throw new Error('Malformed JPEG: no SOFn marker found');
+}
+function isWebp(buffer) {
+    // RIFF[4 bytes file size]WEBP[4 bytes variant identifier]
+    return buffer.length >= 16 && bufferEqualsAt(buffer, 0, WEBP_RIFF_BYTES) && bufferEqualsAt(buffer, 8, WEBP_WEBP_BYTES);
+}
+function readWebpMetadata(buffer) {
+    // The RIFF chunk size at bytes 4-7 covers everything after the size field
+    // itself, i.e. exactly `buffer.length - 8` for a well-formed file. A
+    // mismatch indicates truncation or trailing data injection.
+    const declaredRiffSize = buffer.readUInt32LE(4);
+    if (declaredRiffSize !== buffer.length - 8) {
+        throw new Error('Malformed WebP: RIFF chunk size does not match buffer length');
+    }
+    // After "WEBP" comes a sub-chunk identifier ("VP8 ", "VP8L", or "VP8X")
+    // and dimensions are encoded slightly differently per variant.
+    if (bufferEqualsAt(buffer, 12, WEBP_VP8_BYTES)) {
+        // Lossy: width/height are at bytes 26-29 as 14-bit little-endian values,
+        // preceded by the mandatory 3-byte VP8 keyframe sync code at bytes 23-25.
+        if (buffer.length < 30) {
+            throw new Error('Malformed WebP: VP8 chunk truncated');
+        }
+        assertWebpSimpleSubChunkSize(buffer, 'VP8');
+        if (buffer[23] !== 0x9d || buffer[24] !== 0x01 || buffer[25] !== 0x2a) {
+            throw new Error('Malformed WebP: invalid VP8 keyframe sync code');
+        }
+        return {
+            format: 'webp',
+            width: buffer.readUInt16LE(26) & 0x3fff,
+            height: buffer.readUInt16LE(28) & 0x3fff
+        };
+    }
+    if (bufferEqualsAt(buffer, 12, WEBP_VP8L_BYTES)) {
+        // Lossless: width-1 and height-1 are packed into bytes 21-24.
+        if (buffer.length < 25) {
+            throw new Error('Malformed WebP: VP8L chunk truncated');
+        }
+        assertWebpSimpleSubChunkSize(buffer, 'VP8L');
+        // VP8L spec mandates a 1-byte signature (0x2F) immediately after the
+        // 8-byte chunk header, before the packed dimensions.
+        if (buffer[20] !== 0x2f) {
+            throw new Error('Malformed WebP: invalid VP8L signature byte');
+        }
+        const b0 = buffer[21];
+        const b1 = buffer[22];
+        const b2 = buffer[23];
+        const b3 = buffer[24];
+        return {
+            format: 'webp',
+            width: 1 + ((b0 | (b1 << 8)) & 0x3fff),
+            height: 1 + (((b1 >> 6) | (b2 << 2) | (b3 << 10)) & 0x3fff)
+        };
+    }
+    if (bufferEqualsAt(buffer, 12, WEBP_VP8X_BYTES)) {
+        // Extended: width-1 and height-1 as 24-bit little-endian at bytes 24-29.
+        if (buffer.length < 30) {
+            throw new Error('Malformed WebP: VP8X chunk truncated');
+        }
+        // VP8X canvas info is always exactly 10 bytes; trailing chunks (ICCP,
+        // ANIM, …) are accounted for by the outer RIFF size only.
+        if (buffer.readUInt32LE(16) !== 10) {
+            throw new Error('Malformed WebP: VP8X chunk size must be 10');
+        }
+        return {
+            format: 'webp',
+            width: 1 + buffer.readUIntLE(24, 3),
+            height: 1 + buffer.readUIntLE(27, 3)
+        };
+    }
+    // Read the variant bytes for the error message via latin1 (preserves all
+    // byte values 0x00-0xFF) and then sanitise non-printable characters so we
+    // can't smuggle log lines through high-bit or control bytes.
+    throw new Error(`Malformed WebP: unknown variant '${sanitiseForLog(buffer.toString('latin1', 12, 16))}'`);
+}
+/**
+ * For Simple File Format WebP (VP8 / VP8L), the inner chunk's declared payload
+ * size at offset 16 must — together with the 8-byte chunk header and an
+ * optional 1-byte RIFF pad for odd-length payloads — account for everything
+ * after the 12-byte RIFF/WEBP preamble. Catches parser-differential attacks
+ * where a tampered chunk size is silently accepted by readers that work off
+ * fixed offsets.
+ */
+function assertWebpSimpleSubChunkSize(buffer, label) {
+    const declared = buffer.readUInt32LE(16);
+    const expectedPayload = buffer.length - 20;
+    const expectedPayloadWithoutPad = buffer.length - 21;
+    if (declared !== expectedPayload && declared !== expectedPayloadWithoutPad) {
+        throw new Error(`Malformed WebP: ${label} chunk size does not match buffer length`);
+    }
+}
+/**
+ * Replace control characters and non-printable bytes in a user-controlled
+ * string before interpolating it into an error message. PNG/JPEG/WebP type
+ * fields are 7-bit ASCII per spec, but a malicious buffer can put any
+ * 0x00-0x7F byte there — including newline / carriage return / NUL — which
+ * could otherwise smuggle log lines through downstream consumers.
+ */
+function sanitiseForLog(value) {
+    return value.replace(/[^\x20-\x7e]/g, '?');
+}
+function isGif(buffer) {
+    // Minimum legal GIF89a is signature(6) + LSD(7) + trailer(1) = 14 bytes.
+    return buffer.length >= 14 && (bufferEqualsAt(buffer, 0, GIF87A_BYTES) || bufferEqualsAt(buffer, 0, GIF89A_BYTES));
+}
+function readGifMetadata(buffer) {
+    // Per the GIF89a spec the file must end with a 0x3B trailer byte. Rejecting
+    // missing trailers brings GIF in line with the PNG (IEND) and JPEG (EOI)
+    // termination checks and catches truncated / trailing-data polyglots.
+    if (buffer[buffer.length - 1] !== 0x3b) {
+        throw new Error('Malformed GIF: missing trailer byte');
+    }
+    // Logical screen descriptor: width at bytes 6-7, height at 8-9, little-endian.
+    return {
+        format: 'gif',
+        width: buffer.readUInt16LE(6),
+        height: buffer.readUInt16LE(8)
+    };
+}
+const BMP_BITMAPCOREHEADER_SIZE = 12;
+function isBmp(buffer) {
+    // 14-byte BITMAPFILEHEADER + at least the 4-byte DIB header size field, plus
+    // enough room to read the smallest DIB header's width/height (BITMAPCOREHEADER
+    // ends at byte 21; everything else extends to 25).
+    return buffer.length >= 22 && buffer[0] === 0x42 && buffer[1] === 0x4d;
+}
+function readBmpMetadata(buffer) {
+    // BITMAPFILEHEADER bytes 2-5 store the total file size in bytes, including
+    // the headers. A mismatch indicates truncation or trailing data injection.
+    const declaredFileSize = buffer.readUInt32LE(2);
+    if (declaredFileSize !== buffer.length) {
+        throw new Error('Malformed BMP: file size header does not match buffer length');
+    }
+    const dibHeaderSize = buffer.readUInt32LE(14);
+    if (dibHeaderSize === BMP_BITMAPCOREHEADER_SIZE) {
+        // BITMAPCOREHEADER (OS/2 v1): 16-bit width and height at offsets 18-19 and
+        // 20-21. Negative heights are not defined for this header.
+        return {
+            format: 'bmp',
+            width: buffer.readUInt16LE(18),
+            height: buffer.readUInt16LE(20)
+        };
+    }
+    // BITMAPINFOHEADER and its extended variants (40, 52, 56, 108, 124 bytes).
+    // Width is signed int32 LE at 18-21, height is signed int32 LE at 22-25.
+    // A negative height encodes a top-down DIB; absolute value is the pixel
+    // height. A negative width is illegal per spec — assertPositiveDimensions
+    // enforces that on the way out.
+    if (buffer.length < 26) {
+        throw new Error('Malformed BMP: BITMAPINFOHEADER truncated');
+    }
+    return {
+        format: 'bmp',
+        width: buffer.readInt32LE(18),
+        height: Math.abs(buffer.readInt32LE(22))
+    };
+}
+//# sourceMappingURL=image-metadata.js.map