mirror of
https://github.com/webmproject/libwebp.git
synced 2024-12-26 21:58:22 +01:00
Detect if StoreFrame read more than anmf_payload_size bytes
After ParseAnimationFrame() calls StoreFrame(), check if StoreFrame() reads more than anmf_payload_size bytes from dmux->mem_. Treat that as PARSE_ERROR. Change-Id: I0d03885c19d32792af78de7bed1a944ca01f1dc6
This commit is contained in:
parent
17fd4ba820
commit
4b3c6953ef
@ -312,6 +312,7 @@ static ParseStatus ParseAnimationFrame(
|
|||||||
int bits;
|
int bits;
|
||||||
MemBuffer* const mem = &dmux->mem_;
|
MemBuffer* const mem = &dmux->mem_;
|
||||||
Frame* frame;
|
Frame* frame;
|
||||||
|
size_t start_offset;
|
||||||
ParseStatus status =
|
ParseStatus status =
|
||||||
NewFrame(mem, ANMF_CHUNK_SIZE, frame_chunk_size, &frame);
|
NewFrame(mem, ANMF_CHUNK_SIZE, frame_chunk_size, &frame);
|
||||||
if (status != PARSE_OK) return status;
|
if (status != PARSE_OK) return status;
|
||||||
@ -332,7 +333,11 @@ static ParseStatus ParseAnimationFrame(
|
|||||||
|
|
||||||
// Store a frame only if the animation flag is set there is some data for
|
// Store a frame only if the animation flag is set there is some data for
|
||||||
// this frame is available.
|
// this frame is available.
|
||||||
|
start_offset = mem->start_;
|
||||||
status = StoreFrame(dmux->num_frames_ + 1, anmf_payload_size, mem, frame);
|
status = StoreFrame(dmux->num_frames_ + 1, anmf_payload_size, mem, frame);
|
||||||
|
if (status != PARSE_ERROR && mem->start_ - start_offset > anmf_payload_size) {
|
||||||
|
status = PARSE_ERROR;
|
||||||
|
}
|
||||||
if (status != PARSE_ERROR && is_animation && frame->frame_num_ > 0) {
|
if (status != PARSE_ERROR && is_animation && frame->frame_num_ > 0) {
|
||||||
added_frame = AddFrame(dmux, frame);
|
added_frame = AddFrame(dmux, frame);
|
||||||
if (added_frame) {
|
if (added_frame) {
|
||||||
|
Loading…
Reference in New Issue
Block a user