From 6805c246e3d525f05e62de5992ca00209f2143f6 Mon Sep 17 00:00:00 2001 From: Arman Hasanzadeh Date: Wed, 13 Aug 2025 17:18:01 -0700 Subject: [PATCH] Add fbounds-safety annotations for `start`. Reasoning: The function `VP8LInitBitReader` in `src/utils/bit_reader_utils.c` takes a pointer `start` and a `length`. Inside the function, `start` is accessed in a loop (lines 167-168) with index `i` ranging from 0 up to a potentially modified `length` (capped at `sizeof(br->val)` on lines 164-165). The original `length` parameter accurately describes the intended size of the buffer pointed to by `start` before this capping occurs. Therefore, `start` is annotated with `__counted_by(length)` in both its definition (src/utils/bit_reader_utils.c:151) and declaration (src/utils/bit_reader_utils.h:157) to reflect this relationship and resolve the array subscript error. Bug: 432511821 Change-Id: Ibefe213e8011ca9b0f6ea4f22651b866261153c5 --- src/utils/bit_reader_utils.c | 3 ++- src/utils/bit_reader_utils.h | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/utils/bit_reader_utils.c b/src/utils/bit_reader_utils.c index b34a84aa..0720213a 100644 --- a/src/utils/bit_reader_utils.c +++ b/src/utils/bit_reader_utils.c @@ -130,7 +130,8 @@ static const uint32_t kBitMask[VP8L_MAX_NUM_BIT_READ + 1] = { 0x003fff, 0x007fff, 0x00ffff, 0x01ffff, 0x03ffff, 0x07ffff, 0x0fffff, 0x1fffff, 0x3fffff, 0x7fffff, 0xffffff}; -void VP8LInitBitReader(VP8LBitReader* const br, const uint8_t* const start, +void VP8LInitBitReader(VP8LBitReader* const br, + const uint8_t* const WEBP_COUNTED_BY(length) start, size_t length) { size_t i; vp8l_val_t value = 0; diff --git a/src/utils/bit_reader_utils.h b/src/utils/bit_reader_utils.h index f926dcf7..cd3bd7e2 100644 --- a/src/utils/bit_reader_utils.h +++ b/src/utils/bit_reader_utils.h @@ -154,7 +154,8 @@ typedef struct { int eos; // true if a bit was read past the end of buffer } VP8LBitReader; -void VP8LInitBitReader(VP8LBitReader* const br, const uint8_t* const start, +void VP8LInitBitReader(VP8LBitReader* const br, + const uint8_t* const WEBP_COUNTED_BY(length) start, size_t length); // Sets a new data buffer.