fix: address PR docker#1889 review feedback for vision support

- Guard against decompression bombs in ResizeImage by rejecting decoded
  images exceeding 20000x20000 pixels before processing
- Fix image stripping for models with unknown capabilities: only strip
  images when modalities are explicitly known and exclude image input
- Check file existence before calling IsImageFile in read_file handler
  to provide clearer errors and avoid type detection on missing files

Assisted-By: cagent

Author: dgageot

pkg/chat/image.go

@@ -22,6 +22,10 @@ const (
 	// MaxImageBytes is the maximum file size for images sent to LLM providers (4.5MB,
 	// below Anthropic's 5MB limit).
 	MaxImageBytes = 4_500_000
+	// maxDecodedDimension is the absolute upper bound on decoded image dimensions.
+	// Images exceeding this are rejected before processing to guard against
+	// decompression bombs (small files that expand to huge pixel buffers).
+	maxDecodedDimension = 20_000
 	// jpegQuality is the default JPEG encoding quality.
 	jpegQuality = 80
 )
@@ -75,6 +79,13 @@ func ResizeImage(data []byte, mimeType string) (*ImageResizeResult, error) {
 	bounds := img.Bounds()
 	origW, origH := bounds.Dx(), bounds.Dy()
 
+	// Guard against decompression bombs: reject images whose decoded
+	// dimensions are absurdly large. A small compressed file can expand
+	// to hundreds of megabytes in memory (e.g. 20000×20000×4 ≈ 1.6 GB).
+	if origW > maxDecodedDimension || origH > maxDecodedDimension {
+		return nil, fmt.Errorf("image dimensions too large: %dx%d (max %d)", origW, origH, maxDecodedDimension)
+	}
+
 	// If the image already fits within all limits, return unchanged.
 	if origW <= MaxImageDimension && origH <= MaxImageDimension && len(data) <= MaxImageBytes {
 		return &ImageResizeResult{

pkg/runtime/runtime.go

@@ -1121,7 +1121,7 @@ func (r *LocalRuntime) RunStream(ctx context.Context, sess *session.Session) <-c
 			// Strip image content from messages if the model doesn't support image input.
 			// This prevents API errors when conversation history contains images (e.g. from
 			// tool results or user attachments) but the current model is text-only.
-			if m != nil && !slices.Contains(m.Modalities.Input, "image") {
+			if m != nil && len(m.Modalities.Input) > 0 && !slices.Contains(m.Modalities.Input, "image") {
 				messages = stripImageContent(messages)
 			}
 

pkg/tools/builtin/filesystem.go

@@ -522,12 +522,8 @@ func (t *FilesystemTool) handleListDirectory(_ context.Context, args ListDirecto
 func (t *FilesystemTool) handleReadFile(_ context.Context, args ReadFileArgs) (*tools.ToolCallResult, error) {
 	resolvedPath := t.resolvePath(args.Path)
 
-	// Check if the file is an image
-	if chat.IsImageFile(resolvedPath) {
-		return t.readImageFile(resolvedPath, args.Path)
-	}
-
-	content, err := os.ReadFile(resolvedPath)
+	// Check if the file exists before any type detection.
+	info, err := os.Stat(resolvedPath)
 	if err != nil {
 		var errMsg string
 		if os.IsNotExist(err) {
@@ -545,6 +541,22 @@ func (t *FilesystemTool) handleReadFile(_ context.Context, args ReadFileArgs) (*
 		}, nil
 	}
 
+	// Only check for image files on regular files (not directories, etc.)
+	if info.Mode().IsRegular() && chat.IsImageFile(resolvedPath) {
+		return t.readImageFile(resolvedPath, args.Path)
+	}
+
+	content, err := os.ReadFile(resolvedPath)
+	if err != nil {
+		return &tools.ToolCallResult{
+			Output:  err.Error(),
+			IsError: true,
+			Meta: ReadFileMeta{
+				Error: err.Error(),
+			},
+		}, nil
+	}
+
 	return &tools.ToolCallResult{
 		Output: string(content),
 		Meta: ReadFileMeta{