mirror of
https://github.com/webmproject/libwebp.git
synced 2025-02-21 19:32:52 +01:00
idec_dec: fix 0 offset of NULL pointer
in RemapMemBuffer() and AppendToMemBuffer() BUG=chromium:1028716,chromium:1027136 Change-Id: Ibc321d233b6207be3cb5cef4d9e8a60498e32457
This commit is contained in:
James Zern
parent
290dd0b426
commit
22cbae33e5
@ -166,9 +166,11 @@ static int AppendToMemBuffer(WebPIDecoder* const idec,
|
|||||||
VP8Decoder* const dec = (VP8Decoder*)idec->dec_;
|
VP8Decoder* const dec = (VP8Decoder*)idec->dec_;
|
||||||
MemBuffer* const mem = &idec->mem_;
|
MemBuffer* const mem = &idec->mem_;
|
||||||
const int need_compressed_alpha = NeedCompressedAlpha(idec);
|
const int need_compressed_alpha = NeedCompressedAlpha(idec);
|
||||||
const uint8_t* const old_start = mem->buf_ + mem->start_;
|
const uint8_t* const old_start =
|
||||||
|
(mem->buf_ == NULL) ? NULL : mem->buf_ + mem->start_;
|
||||||
const uint8_t* const old_base =
|
const uint8_t* const old_base =
|
||||||
need_compressed_alpha ? dec->alpha_data_ : old_start;
|
need_compressed_alpha ? dec->alpha_data_ : old_start;
|
||||||
|
assert(mem->buf_ != NULL || mem->start_ == 0);
|
||||||
assert(mem->mode_ == MEM_MODE_APPEND);
|
assert(mem->mode_ == MEM_MODE_APPEND);
|
||||||
if (data_size > MAX_CHUNK_PAYLOAD) {
|
if (data_size > MAX_CHUNK_PAYLOAD) {
|
||||||
// security safeguard: trying to allocate more than what the format
|
// security safeguard: trying to allocate more than what the format
|
||||||
@ -184,7 +186,7 @@ static int AppendToMemBuffer(WebPIDecoder* const idec,
|
|||||||
uint8_t* const new_buf =
|
uint8_t* const new_buf =
|
||||||
(uint8_t*)WebPSafeMalloc(extra_size, sizeof(*new_buf));
|
(uint8_t*)WebPSafeMalloc(extra_size, sizeof(*new_buf));
|
||||||
if (new_buf == NULL) return 0;
|
if (new_buf == NULL) return 0;
|
||||||
memcpy(new_buf, old_base, current_size);
|
if (old_base != NULL) memcpy(new_buf, old_base, current_size);
|
||||||
WebPSafeFree(mem->buf_);
|
WebPSafeFree(mem->buf_);
|
||||||
mem->buf_ = new_buf;
|
mem->buf_ = new_buf;
|
||||||
mem->buf_size_ = (size_t)extra_size;
|
mem->buf_size_ = (size_t)extra_size;
|
||||||
@ -192,6 +194,7 @@ static int AppendToMemBuffer(WebPIDecoder* const idec,
|
|||||||
mem->end_ = current_size;
|
mem->end_ = current_size;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
assert(mem->buf_ != NULL);
|
||||||
memcpy(mem->buf_ + mem->end_, data, data_size);
|
memcpy(mem->buf_ + mem->end_, data, data_size);
|
||||||
mem->end_ += data_size;
|
mem->end_ += data_size;
|
||||||
assert(mem->end_ <= mem->buf_size_);
|
assert(mem->end_ <= mem->buf_size_);
|
||||||
@ -204,7 +207,9 @@ static int RemapMemBuffer(WebPIDecoder* const idec,
|
|||||||
const uint8_t* const data, size_t data_size) {
|
const uint8_t* const data, size_t data_size) {
|
||||||
MemBuffer* const mem = &idec->mem_;
|
MemBuffer* const mem = &idec->mem_;
|
||||||
const uint8_t* const old_buf = mem->buf_;
|
const uint8_t* const old_buf = mem->buf_;
|
||||||
const uint8_t* const old_start = old_buf + mem->start_;
|
const uint8_t* const old_start =
|
||||||
|
(old_buf == NULL) ? NULL : old_buf + mem->start_;
|
||||||
|
assert(old_buf != NULL || mem->start_ == 0);
|
||||||
assert(mem->mode_ == MEM_MODE_MAP);
|
assert(mem->mode_ == MEM_MODE_MAP);
|
||||||
|
|
||||||
if (data_size < mem->buf_size_) return 0; // can't remap to a shorter buffer!
|
if (data_size < mem->buf_size_) return 0; // can't remap to a shorter buffer!
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user