From 9c367bc6025a4dd35a1d7d6c91e0bd6e4f14f2e3 Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Fri, 18 Dec 2020 11:31:44 -0800
Subject: [PATCH] WebPAnimDecoderNewInternal: validate bitstream before alloc

this avoids large allocations with corrupt files due to the canvas size

BUG=oss-fuzz:28658

Change-Id: Idd1957e5447a2dadaef1fadaf68820fcb29f045a
---
 src/demux/anim_decode.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/demux/anim_decode.c b/src/demux/anim_decode.c
index 3dcacc35..b236ceb5 100644
--- a/src/demux/anim_decode.c
+++ b/src/demux/anim_decode.c
@@ -87,11 +87,19 @@ WebPAnimDecoder* WebPAnimDecoderNewInternal(
     int abi_version) {
   WebPAnimDecoderOptions options;
   WebPAnimDecoder* dec = NULL;
+  WebPBitstreamFeatures features;
   if (webp_data == NULL ||
       WEBP_ABI_IS_INCOMPATIBLE(abi_version, WEBP_DEMUX_ABI_VERSION)) {
     return NULL;
   }
 
+  // Validate the bitstream before doing expensive allocations. The demuxer may
+  // be more tolerant than the decoder.
+  if (WebPGetFeatures(webp_data->bytes, webp_data->size, &features) !=
+      VP8_STATUS_OK) {
+    return NULL;
+  }
+
   // Note: calloc() so that the pointer members are initialized to NULL.
   dec = (WebPAnimDecoder*)WebPSafeCalloc(1ULL, sizeof(*dec));
   if (dec == NULL) goto Error;