dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2025-08-28 06:42:27 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add fbounds-safety annotations for sorted.

Browse Source 
Reasoning:

The `sorted` parameter in `BuildHuffmanTable`
(`src/utils/huffman_utils.c:87`) is annotated with
`WEBP_COUNTED_BY_OR_NULL(code_lengths_size)`. Analysis of the
access patterns (lines 137, 177, 207) shows that the indices used
are bounded by `code_lengths_size`. Since `sorted` can be NULL,
`_OR_NULL` is used. When compiling, calls
to `BuildHuffmanTable` in `VP8LBuildHuffmanTable` (line 272) required forging bounds because the `sorted` buffer, allocated
via `WebPSafeMalloc` or on the stack, was treated as unsafe.
`WEBP_UNSAFE_FORGE_BIDI_INDEXABLE` is used at the call sites to
provide the necessary bounds information.

Bug: 432511821
Change-Id: I6fea3ac5d77cb56139f9748ba0277a4f0ad21737
This commit is contained in:
Arman Hasanzadeh
2025-08-20 13:11:59 -07:00
parent 2be405c472
commit 4cdb42070f
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/utils/huffman_utils.c
View File

@@ -84,7 +84,8 @@ static WEBP_INLINE int NextTableBitSize(const int* const count, int len,
// by code length.
static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
const int code_lengths[], int code_lengths_size,
uint16_t sorted[]) {
uint16_t WEBP_COUNTED_BY_OR_NULL(code_lengths_size)
sorted[]) {
HuffmanCode* table = root_table; // next available space in table
int total_size = 1 << root_bits; // total size root table + 2nd level table
int len; // current code length
@@ -270,8 +271,11 @@ int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
uint16_t* const sorted =
(uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted));
if (sorted == NULL) return 0;
BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
code_lengths, code_lengths_size, sorted);
BuildHuffmanTable(
root_table->curr_segment->curr_table, root_bits, code_lengths,
code_lengths_size,
WEBP_UNSAFE_FORGE_BIDI_INDEXABLE(
uint16_t*, sorted, (size_t)code_lengths_size * sizeof(*sorted)));
WebPSafeFree(sorted);
}
return total_size;