mirror of
https://github.com/webmproject/libwebp.git
synced 2024-12-25 13:18:22 +01:00
vp8l_enc,WriteImage: add missing error check
VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.
==3531848==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d000000880 at pc 0x556eddfa1007 bp 0x7ffe434c7a90 sp 0x7ffe434c7260
READ of size 2052 at 0x61d000000880 thread T0
#0 0x556eddfa1006 in __asan_memcpy
#1 0x556eddfeeccf in WebPMemoryWrite src/enc/picture_enc.c:220:5
#2 0x556ede0f9f87 in WriteImage src/enc/vp8l_enc.c:1454:8
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: Ib1c9454c2c51849b0ba58c5347e6bd5b02a12fbe
(cherry picked from commit d49cfbb348
)
This commit is contained in:
parent
fd7b5d4846
commit
6a319d4da3
@ -1449,6 +1449,11 @@ static int WriteImage(const WebPPicture* const pic, VP8LBitWriter* const bw,
|
||||
const size_t vp8l_size = VP8L_SIGNATURE_SIZE + webpll_size;
|
||||
const size_t pad = vp8l_size & 1;
|
||||
const size_t riff_size = TAG_SIZE + CHUNK_HEADER_SIZE + vp8l_size + pad;
|
||||
*coded_size = 0;
|
||||
|
||||
if (bw->error_) {
|
||||
return WebPEncodingSetError(pic, VP8_ENC_ERROR_OUT_OF_MEMORY);
|
||||
}
|
||||
|
||||
if (!WriteRiffHeader(pic, riff_size, vp8l_size) ||
|
||||
!pic->writer(webpll_data, webpll_size, pic)) {
|
||||
|
Loading…
Reference in New Issue
Block a user