From 4cdb42070f9180edf9ffbbcddb3fab0b80877fb4 Mon Sep 17 00:00:00 2001 From: Arman Hasanzadeh Date: Wed, 20 Aug 2025 13:11:59 -0700 Subject: [PATCH] Add fbounds-safety annotations for `sorted`. Reasoning: The `sorted` parameter in `BuildHuffmanTable` (`src/utils/huffman_utils.c:87`) is annotated with `WEBP_COUNTED_BY_OR_NULL(code_lengths_size)`. Analysis of the access patterns (lines 137, 177, 207) shows that the indices used are bounded by `code_lengths_size`. Since `sorted` can be NULL, `_OR_NULL` is used. When compiling, calls to `BuildHuffmanTable` in `VP8LBuildHuffmanTable` (line 272) required forging bounds because the `sorted` buffer, allocated via `WebPSafeMalloc` or on the stack, was treated as unsafe. `WEBP_UNSAFE_FORGE_BIDI_INDEXABLE` is used at the call sites to provide the necessary bounds information. Bug: 432511821 Change-Id: I6fea3ac5d77cb56139f9748ba0277a4f0ad21737 --- src/utils/huffman_utils.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c index 8f12eac1..06554046 100644 --- a/src/utils/huffman_utils.c +++ b/src/utils/huffman_utils.c @@ -84,7 +84,8 @@ static WEBP_INLINE int NextTableBitSize(const int* const count, int len, // by code length. static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, const int code_lengths[], int code_lengths_size, - uint16_t sorted[]) { + uint16_t WEBP_COUNTED_BY_OR_NULL(code_lengths_size) + sorted[]) { HuffmanCode* table = root_table; // next available space in table int total_size = 1 << root_bits; // total size root table + 2nd level table int len; // current code length @@ -270,8 +271,11 @@ int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits, uint16_t* const sorted = (uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted)); if (sorted == NULL) return 0; - BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits, - code_lengths, code_lengths_size, sorted); + BuildHuffmanTable( + root_table->curr_segment->curr_table, root_bits, code_lengths, + code_lengths_size, + WEBP_UNSAFE_FORGE_BIDI_INDEXABLE( + uint16_t*, sorted, (size_t)code_lengths_size * sizeof(*sorted))); WebPSafeFree(sorted); } return total_size;