dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2024-12-26 05:38:22 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Limit memory allocation when reading invalid Huffman codes.

Browse Source 
This is a backported fix for: CVE-2020-36332

This is a merge of:
dce5d76431
39cb9aad85
067031eaed

Change-Id: I166e3d7ccef73be26ff9eb4fa8943efd3dac2d81
This commit is contained in:
Vincent Rabaud 2023-10-03 14:08:26 +02:00
parent a4a8e5f32c
commit 7c3b7cc61b
1 changed files with 102 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
src/dec/vp8l.c
View File

@ -362,11 +362,14 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
uint32_t* huffman_image = NULL; uint32_t* huffman_image = NULL;
HTreeGroup* htree_groups = NULL; HTreeGroup* htree_groups = NULL;
HuffmanCode* huffman_tables = NULL; HuffmanCode* huffman_tables = NULL;
HuffmanCode* next = NULL; HuffmanCode* huffman_table = NULL;
int num_htree_groups = 1; int num_htree_groups = 1;
int num_htree_groups_max = 1;
int max_alphabet_size = 0; int max_alphabet_size = 0;
int* code_lengths = NULL; int* code_lengths = NULL;
const int table_size = kTableSize[color_cache_bits]; const int table_size = kTableSize[color_cache_bits];
int* mapping = NULL;
int ok = 0;
if (allow_recursion && VP8LReadBits(br, 1)) { if (allow_recursion && VP8LReadBits(br, 1)) {
// use meta Huffman codes. // use meta Huffman codes.
@ -383,10 +386,36 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
// The huffman data is stored in red and green bytes. // The huffman data is stored in red and green bytes.
const int group = (huffman_image[i] >> 8) & 0xffff; const int group = (huffman_image[i] >> 8) & 0xffff;
huffman_image[i] = group; huffman_image[i] = group;
if (group >= num_htree_groups) { if (group >= num_htree_groups_max) {
num_htree_groups = group + 1; num_htree_groups_max = group + 1;
} }
} }
// Check the validity of num_htree_groups_max. If it seems too big, use a
// smaller value for later. This will prevent big memory allocations to end
// up with a bad bitstream anyway.
// The value of 1000 is totally arbitrary. We know that num_htree_groups_max
// is smaller than (1 << 16) and should be smaller than the number of pixels
// (though the format allows it to be bigger).
if (num_htree_groups_max > 1000 || num_htree_groups_max > xsize * ysize) {
// Create a mapping from the used indices to the minimal set of used
// values [0, num_htree_groups)
mapping = (int*)WebPSafeMalloc(num_htree_groups_max, sizeof(*mapping));
if (mapping == NULL) {
dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
goto Error;
}
// -1 means a value is unmapped, and therefore unused in the Huffman
// image.
memset(mapping, 0xff, num_htree_groups_max * sizeof(*mapping));
for (num_htree_groups = 0, i = 0; i < huffman_pixs; ++i) {
// Get the current mapping for the group and remap the Huffman image.
int* const mapped_group = &mapping[huffman_image[i]];
if (*mapped_group == -1) *mapped_group = num_htree_groups++;
huffman_image[i] = *mapped_group;
}
} else {
num_htree_groups = num_htree_groups_max;
}
} }
if (br->eos_) goto Error; if (br->eos_) goto Error;
@ -413,9 +442,24 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
goto Error; goto Error;
} }
next = huffman_tables; huffman_table = huffman_tables;
for (i = 0; i < num_htree_groups; ++i) { for (i = 0; i < num_htree_groups_max; ++i) {
HTreeGroup* const htree_group = &htree_groups[i]; // If the index "i" is unused in the Huffman image, just make sure the
// coefficients are valid but do not store them.
if (mapping != NULL && mapping[i] == -1) {
for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) {
int alphabet_size = kAlphabetSize[j];
if (j == 0 && color_cache_bits > 0) {
alphabet_size += (1 << color_cache_bits);
}
// Passing in NULL so that nothing gets filled.
if (!ReadHuffmanCode(alphabet_size, dec, code_lengths, NULL)) {
goto Error;
}
}
} else {
HTreeGroup* const htree_group =
&htree_groups[(mapping == NULL) ? i : mapping[i]];
HuffmanCode** const htrees = htree_group->htrees; HuffmanCode** const htrees = htree_group->htrees;
int size; int size;
int total_size = 0; int total_size = 0;
@ -423,19 +467,19 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
int max_bits = 0; int max_bits = 0;
for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) { for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) {
int alphabet_size = kAlphabetSize[j]; int alphabet_size = kAlphabetSize[j];
htrees[j] = next; htrees[j] = huffman_table;
if (j == 0 && color_cache_bits > 0) { if (j == 0 && color_cache_bits > 0) {
alphabet_size += 1 << color_cache_bits; alphabet_size += (1 << color_cache_bits);
} }
size = ReadHuffmanCode(alphabet_size, dec, code_lengths, next); size = ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_table);
if (size == 0) { if (size == 0) {
goto Error; goto Error;
} }
if (is_trivial_literal && kLiteralMap[j] == 1) { if (is_trivial_literal && kLiteralMap[j] == 1) {
is_trivial_literal = (next->bits == 0); is_trivial_literal = (huffman_table->bits == 0);
} }
total_size += next->bits; total_size += huffman_table->bits;
next += size; huffman_table += size;
if (j <= ALPHA) { if (j <= ALPHA) {
int local_max_bits = code_lengths[0]; int local_max_bits = code_lengths[0];
int k; int k;
@ -453,32 +497,34 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
const int red = htrees[RED][0].value; const int red = htrees[RED][0].value;
const int blue = htrees[BLUE][0].value; const int blue = htrees[BLUE][0].value;
const int alpha = htrees[ALPHA][0].value; const int alpha = htrees[ALPHA][0].value;
htree_group->literal_arb = htree_group->literal_arb = ((uint32_t)alpha << 24) | (red << 16) | blue;
((uint32_t)alpha << 24) | (red << 16) | blue;
if (total_size == 0 && htrees[GREEN][0].value < NUM_LITERAL_CODES) { if (total_size == 0 && htrees[GREEN][0].value < NUM_LITERAL_CODES) {
htree_group->is_trivial_code = 1; htree_group->is_trivial_code = 1;
htree_group->literal_arb |= htrees[GREEN][0].value << 8; htree_group->literal_arb |= htrees[GREEN][0].value << 8;
} }
} }
htree_group->use_packed_table = !htree_group->is_trivial_code && htree_group->use_packed_table =
(max_bits < HUFFMAN_PACKED_BITS); !htree_group->is_trivial_code && (max_bits < HUFFMAN_PACKED_BITS);
if (htree_group->use_packed_table) BuildPackedTable(htree_group); if (htree_group->use_packed_table) BuildPackedTable(htree_group);
} }
WebPSafeFree(code_lengths); }
ok = 1;
// All OK. Finalize pointers and return. // All OK. Finalize pointers.
hdr->huffman_image_ = huffman_image; hdr->huffman_image_ = huffman_image;
hdr->num_htree_groups_ = num_htree_groups; hdr->num_htree_groups_ = num_htree_groups;
hdr->htree_groups_ = htree_groups; hdr->htree_groups_ = htree_groups;
hdr->huffman_tables_ = huffman_tables; hdr->huffman_tables_ = huffman_tables;
return 1;
Error: Error:
WebPSafeFree(code_lengths); WebPSafeFree(code_lengths);
WebPSafeFree(mapping);
if (!ok) {
WebPSafeFree(huffman_image); WebPSafeFree(huffman_image);
WebPSafeFree(huffman_tables); WebPSafeFree(huffman_tables);
VP8LHtreeGroupsFree(htree_groups); VP8LHtreeGroupsFree(htree_groups);
return 0; }
return ok;
} }
//------------------------------------------------------------------------------ //------------------------------------------------------------------------------