From 30763333f38c80f0c802c73b86aa15c18a86c140 Mon Sep 17 00:00:00 2001 From: James Zern Date: Mon, 22 Oct 2012 21:57:59 -0700 Subject: [PATCH] libwebp: validate chunk size in ParseOptionalChunks the max wasn't checked leading to a rollover case, possibly exploitable. additionally check the RIFF size early, to avoid similar issues. pulled from chromium: http://codereview.chromium.org/11229048/ Change-Id: Ifebc712bf3d3de0129b76ca4c57c68e062abc429 --- src/dec/webp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/dec/webp.c b/src/dec/webp.c index edd348cb..7455da94 100644 --- a/src/dec/webp.c +++ b/src/dec/webp.c @@ -76,6 +76,9 @@ static VP8StatusCode ParseRIFF(const uint8_t** const data, if (size < TAG_SIZE + CHUNK_HEADER_SIZE) { return VP8_STATUS_BITSTREAM_ERROR; } + if (size > MAX_CHUNK_PAYLOAD) { + return VP8_STATUS_BITSTREAM_ERROR; + } // We have a RIFF container. Skip it. *riff_size = size; *data += RIFF_HEADER_SIZE; @@ -177,6 +180,9 @@ static VP8StatusCode ParseOptionalChunks(const uint8_t** const data, } chunk_size = get_le32(buf + TAG_SIZE); + if (chunk_size > MAX_CHUNK_PAYLOAD) { + return VP8_STATUS_BITSTREAM_ERROR; // Not a valid chunk size. + } // For odd-sized chunk-payload, there's one byte padding at the end. disk_chunk_size = (CHUNK_HEADER_SIZE + chunk_size + 1) & ~1; total_size += disk_chunk_size;