H1K0
3b79f12ec0
Thumbnail/preview generation decoded untrusted images with no size limit (a decompression bomb could exhaust memory) and ran ffmpeg with no timeout (a malformed video could hang the request). Image dimensions are now checked via image.DecodeConfig before the raster is allocated and rejected above 64 Mpx, and ffmpeg runs under a 30s timeout. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>