From 4338cd36fe0a0a1c02ecd8ff87c1880cd6ca9c22 Mon Sep 17 00:00:00 2001
From: Yannis Guyon <yguyon@google.com>
Date: Wed, 4 Jul 2018 20:19:47 +0200
Subject: [PATCH] misc fixes in libwebpmux

  * Assert chunklist
  * fix potential memory leak and
  * fix null pointer access

There should not be several alpha_ or img_ chunks in SynthesizeBitstream. Use ChunkListDelete in MuxImageRelease to be safe.
A null pointer accessed in WebPMuxPushFrame triggered a harmless runtime error.

Change-Id: I3027f8752093652bd41f55e667d041c0de77ab6e
---
 src/mux/muxedit.c     | 6 +++---
 src/mux/muxinternal.c | 8 +++++---
 src/mux/muxread.c     | 4 ++++
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/mux/muxedit.c b/src/mux/muxedit.c
index 7c1e0e08..ccf14b2a 100644
--- a/src/mux/muxedit.c
+++ b/src/mux/muxedit.c
@@ -266,14 +266,14 @@ WebPMuxError WebPMuxPushFrame(WebPMux* mux, const WebPMuxFrameInfo* info,
                               int copy_data) {
   WebPMuxImage wpi;
   WebPMuxError err;
-  const WebPData* const bitstream = &info->bitstream;
 
   // Sanity checks.
   if (mux == NULL || info == NULL) return WEBP_MUX_INVALID_ARGUMENT;
 
   if (info->id != WEBP_CHUNK_ANMF) return WEBP_MUX_INVALID_ARGUMENT;
 
-  if (bitstream->bytes == NULL || bitstream->size > MAX_CHUNK_PAYLOAD) {
+  if (info->bitstream.bytes == NULL ||
+      info->bitstream.size > MAX_CHUNK_PAYLOAD) {
     return WEBP_MUX_INVALID_ARGUMENT;
   }
 
@@ -287,7 +287,7 @@ WebPMuxError WebPMuxPushFrame(WebPMux* mux, const WebPMuxFrameInfo* info,
   }
 
   MuxImageInit(&wpi);
-  err = SetAlphaAndImageChunks(bitstream, copy_data, &wpi);
+  err = SetAlphaAndImageChunks(&info->bitstream, copy_data, &wpi);
   if (err != WEBP_MUX_OK) goto Err;
   assert(wpi.img_ != NULL);  // As SetAlphaAndImageChunks() was successful.
 
diff --git a/src/mux/muxinternal.c b/src/mux/muxinternal.c
index 8fa55b1c..b9ee6717 100644
--- a/src/mux/muxinternal.c
+++ b/src/mux/muxinternal.c
@@ -227,9 +227,11 @@ void MuxImageInit(WebPMuxImage* const wpi) {
 WebPMuxImage* MuxImageRelease(WebPMuxImage* const wpi) {
   WebPMuxImage* next;
   if (wpi == NULL) return NULL;
-  ChunkDelete(wpi->header_);
-  ChunkDelete(wpi->alpha_);
-  ChunkDelete(wpi->img_);
+  // There should be at most one chunk of header_, alpha_, img_ but we call
+  // ChunkListDelete to be safe
+  ChunkListDelete(&wpi->header_);
+  ChunkListDelete(&wpi->alpha_);
+  ChunkListDelete(&wpi->img_);
   ChunkListDelete(&wpi->unknown_);
 
   next = wpi->next_;
diff --git a/src/mux/muxread.c b/src/mux/muxread.c
index 60189f47..268f6acb 100644
--- a/src/mux/muxread.c
+++ b/src/mux/muxread.c
@@ -400,6 +400,10 @@ static WebPMuxError SynthesizeBitstream(const WebPMuxImage* const wpi,
   uint8_t* const data = (uint8_t*)WebPSafeMalloc(1ULL, size);
   if (data == NULL) return WEBP_MUX_MEMORY_ERROR;
 
+  // There should be at most one alpha_ chunk and exactly one img_ chunk.
+  assert(wpi->alpha_ == NULL || wpi->alpha_->next_ == NULL);
+  assert(wpi->img_ != NULL && wpi->img_->next_ == NULL);
+
   // Main RIFF header.
   dst = MuxEmitRiffHeader(data, size);