dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2025-08-29 07:12:05 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add fbounds-safety annotations for VP8BitWriter.

Browse Source 
Reasoning:

The `fbounds-safety` compiler extension reported out-of-bounds accesses
on the `buf` member of the `VP8BitWriter` struct (defined in
`src/utils/bit_writer_utils.h`, line 36). These occurred in
`src/utils/bit_writer_utils.c` at lines 70, 74, 76, and 189, where
`buf` was used with array indexing or pointer arithmetic despite being a
`__single` pointer by default.

To fix this, the `buf` member was annotated as
`__sized_by_or_null(max_pos)` in `src/utils/bit_writer_utils.h`
(line 36), associating it with the `max_pos` member which stores the
buffer size.

This annotation introduced a new build error in the `BitWriterResize`
function (`src/utils/bit_writer_utils.c`, line 55) when assigning
the result of `WebPSafeMalloc` (an `__unsafe_indexable` pointer) to the
now-annotated `bw->buf`. This was resolved by:
1. Using `bw->buf = __unsafe_forge_bidi_indexable(uint8_t*, new_buf,
   new_size);` (line 55) to create a properly bounded pointer from the
  `malloc` result (`new_buf`) using its size (`new_size`) before
  assigning it to `bw->buf`.

Bug: 432511821
Change-Id: I1a24a9a432388ccce53a5e9b3b5e58d22aa61d0c
This commit is contained in:
Arman Hasanzadeh
2025-08-13 17:00:23 -07:00
committed by James Zern
parent 2246828be3
commit cdaac01490
2 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/utils/bit_writer_utils.c
View File

@@ -52,7 +52,7 @@ static int BitWriterResize(VP8BitWriter* const bw, size_t extra_size) {
WEBP_UNSAFE_MEMCPY(new_buf, bw->buf, bw->pos);
}
WebPSafeFree(bw->buf);
bw->buf = new_buf;
bw->buf = WEBP_UNSAFE_FORGE_BIDI_INDEXABLE(uint8_t*, new_buf, new_size);
bw->max_pos = new_size;
return 1;
}

7
src/utils/bit_writer_utils.h
View File

@@ -32,9 +32,10 @@ typedef struct VP8BitWriter VP8BitWriter;
struct VP8BitWriter {
int32_t range; // range-1
int32_t value;
int run; // number of outstanding bits
int nb_bits; // number of pending bits
uint8_t* buf; // internal buffer. Re-allocated regularly. Not owned.
int run; // number of outstanding bits
int nb_bits; // number of pending bits
// internal buffer. Re-allocated regularly. Not owned.
uint8_t* WEBP_SIZED_BY_OR_NULL(max_pos) buf;
size_t pos;
size_t max_pos;
int error; // true in case of error