dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2025-08-31 08:12:09 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add fbounds-safety annotations in huffman_utils.c/.h.

Browse Source 
Reasoning:

In `HuffmanTablesSegment` (`src/utils/huffman_utils.h`), `start`
was annotated `WEBP_COUNTED_BY_OR_NULL(size)` as it points to an
allocation of `size` elements. `curr_table` was annotated
`WEBP_UNSAFE_INDEXABLE` because it iterates within `[start, start
+ size)`, a bound that cannot be expressed statically in the struct
without ABI changes. The code manually checks bounds for
`curr_table` (e.g., `src/utils/huffman_utils.c:240-241`). To
support the annotation on `start`, allocation sites in
`VP8LBuildHuffmanTable` and `VP8LHuffmanTablesAllocate`
(`src/utils/huffman_utils.c`) were refactored to assign `start` and
`size` side-by-side, using `WEBP_BIDI_INDEXABLE` local variables to
hold the safe pointer returned by `WebPSafeMalloc`.
`VP8LHuffmanTablesDeallocate` was updated to set `size` to 0 when
`start` is freed.

The `root_table` parameter of `BuildHuffmanTable`
(`src/utils/huffman_utils.c:86`) was annotated `WEBP_BIDI_INDEXABLE` to
accommodate accesses to secondary tables beyond the `root table` size
since with explicitly annotating the local variable `table`
as `WEBP_BIDI_INDEXABLE`, `table` inherits its bounds from `root_table`.
Call sites in `VP8LBuildHuffmanTable`
required `WEBP_UNSAFE_FORGE_BIDI_INDEXABLE` to convert the unsafe
`curr_table` to the safe `root_table`.

The `table` parameter of `ReplicateValue`
(`src/utils/huffman_utils.c:59`) was annotated
`WEBP_COUNTED_BY(end - step + 1)` and the function was refactored to
avoid modifying `end`. Call sites in `BuildHuffmanTable` required
`WEBP_UNSAFE_FORGE_BIDI_INDEXABLE` because the strided access
patterns used for Huffman table construction cannot be statically
verified by the compiler.

Bug: 432511821
Change-Id: I77c5c82ac36bc9bb79cd5119a4113ac5d62af762
This commit is contained in:
Arman Hasanzadeh
2025-08-26 16:04:38 -07:00
parent 2074cb4ba1
commit f2372fba3b
4 changed files with 53 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/utils/utils.h
View File

@@ -54,7 +54,8 @@ static WEBP_INLINE int CheckSizeOverflow(uint64_t size) {
// somewhere (like: malloc(num_pixels * sizeof(*something))). That's why this
// safe malloc() borrows the signature from calloc(), pointing at the dangerous
// underlying multiply involved.
WEBP_EXTERN void* WebPSafeMalloc(uint64_t nmemb, size_t size);
WEBP_EXTERN void* WEBP_SIZED_BY_OR_NULL(nmemb* size)
WebPSafeMalloc(uint64_t nmemb, size_t size);
// Note that WebPSafeCalloc() expects the second argument type to be 'size_t'
// in order to favor the "calloc(num_foo, sizeof(foo))" pattern.
WEBP_EXTERN void* WEBP_SIZED_BY_OR_NULL(nmemb* size)