mirror of
https://github.com/webmproject/libwebp.git
synced 2024-12-27 06:08:21 +01:00
vp8l_enc,WriteImage: add missing error check
VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown. If that allocation fails, VP8LBitWriterNumBytes() will return a size larger than the current allocation resulting in a heap overwrite of the missing bytes. ==3531848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000000880 at pc 0x556eddfa1007 bp 0x7ffe434c7a90 sp 0x7ffe434c7260 READ of size 2052 at 0x61d000000880 thread T0 #0 0x556eddfa1006 in __asan_memcpy #1 0x556eddfeeccf in WebPMemoryWrite src/enc/picture_enc.c:220:5 #2 0x556ede0f9f87 in WriteImage src/enc/vp8l_enc.c:1454:8 Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz). Change-Id: Ib1c9454c2c51849b0ba58c5347e6bd5b02a12fbe
This commit is contained in:
parent
2e5a9ec3b6
commit
d49cfbb348
@ -1449,6 +1449,11 @@ static int WriteImage(const WebPPicture* const pic, VP8LBitWriter* const bw,
|
|||||||
const size_t vp8l_size = VP8L_SIGNATURE_SIZE + webpll_size;
|
const size_t vp8l_size = VP8L_SIGNATURE_SIZE + webpll_size;
|
||||||
const size_t pad = vp8l_size & 1;
|
const size_t pad = vp8l_size & 1;
|
||||||
const size_t riff_size = TAG_SIZE + CHUNK_HEADER_SIZE + vp8l_size + pad;
|
const size_t riff_size = TAG_SIZE + CHUNK_HEADER_SIZE + vp8l_size + pad;
|
||||||
|
*coded_size = 0;
|
||||||
|
|
||||||
|
if (bw->error_) {
|
||||||
|
return WebPEncodingSetError(pic, VP8_ENC_ERROR_OUT_OF_MEMORY);
|
||||||
|
}
|
||||||
|
|
||||||
if (!WriteRiffHeader(pic, riff_size, vp8l_size) ||
|
if (!WriteRiffHeader(pic, riff_size, vp8l_size) ||
|
||||||
!pic->writer(webpll_data, webpll_size, pic)) {
|
!pic->writer(webpll_data, webpll_size, pic)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user