dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2025-04-11 03:16:48 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

* strengthen riff/chunk size checks

Browse Source 
* don't consider odd-sized chunks being an error

Change-Id: I2901b071232bb996680cf155e1a25a6a9388f222
This commit is contained in:
Pascal Massimino 2011-02-16 13:24:55 -08:00
parent 1dc4611a3a
commit 73c973e6da
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/dec/webp.c
View File

@ -45,16 +45,20 @@ static uint32_t CheckRIFFHeader(const uint8_t** data_ptr,
return 0; // wrong image file signature return 0; // wrong image file signature
} else { } else {
const uint32_t riff_size = get_le32(*data_ptr + 4); const uint32_t riff_size = get_le32(*data_ptr + 4);
if (riff_size < 12) {
return 0; // we should have at least one chunk
}
if (memcmp(*data_ptr + 12, "VP8 ", 4)) { if (memcmp(*data_ptr + 12, "VP8 ", 4)) {
return 0; // invalid compression format return 0; // invalid compression format
} }
chunk_size = get_le32(*data_ptr + 16); chunk_size = get_le32(*data_ptr + 16);
if ((chunk_size > riff_size + 8) || (chunk_size & 1)) { if (chunk_size > riff_size - 12) {
return 0; // inconsistent size information. return 0; // inconsistent size information.
} }
// We have a IFF container. Skip it. // We have a IFF container. Skip it.
*data_ptr += 20; *data_ptr += 20;
*data_size_ptr -= 20; *data_size_ptr -= 20;
// Note: we don't report error for odd-sized chunks.
} }
return chunk_size; return chunk_size;
} }
@ -559,7 +563,7 @@ int WebPGetInfo(const uint8_t* data, uint32_t data_size,
if (!((bits >> 4) & 1)) { if (!((bits >> 4) & 1)) {
return 0; // first frame is invisible! return 0; // first frame is invisible!
} }
if (((bits >> 5)) >= chunk_size) { // partition_length if (((bits >> 5)) >= chunk_size) { // partition_length
return 0; // inconsistent size information. return 0; // inconsistent size information.
} }