vp8l_enc,WriteImage: add missing error check

VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.

==3531848==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d000000880 at pc 0x556eddfa1007 bp 0x7ffe434c7a90 sp 0x7ffe434c7260
READ of size 2052 at 0x61d000000880 thread T0
    #0 0x556eddfa1006 in __asan_memcpy
    #1 0x556eddfeeccf in WebPMemoryWrite src/enc/picture_enc.c:220:5
    #2 0x556ede0f9f87 in WriteImage src/enc/vp8l_enc.c:1454:8

Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).

Change-Id: Ib1c9454c2c51849b0ba58c5347e6bd5b02a12fbe
(cherry picked from commit d49cfbb348)
This commit is contained in:
James Zern 2023-06-15 11:29:22 -07:00
parent fd7b5d4846
commit 6a319d4da3

View File

@ -1449,6 +1449,11 @@ static int WriteImage(const WebPPicture* const pic, VP8LBitWriter* const bw,
const size_t vp8l_size = VP8L_SIGNATURE_SIZE + webpll_size;
const size_t pad = vp8l_size & 1;
const size_t riff_size = TAG_SIZE + CHUNK_HEADER_SIZE + vp8l_size + pad;
*coded_size = 0;
if (bw->error_) {
return WebPEncodingSetError(pic, VP8_ENC_ERROR_OUT_OF_MEMORY);
}
if (!WriteRiffHeader(pic, riff_size, vp8l_size) ||
!pic->writer(webpll_data, webpll_size, pic)) {