From f5fbdee0ba56b56a3bac050d4961f040968e8240 Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Tue, 2 Jul 2013 23:06:56 +0000
Subject: [PATCH] demux: stricter image bounds check

- validate x/y offset vs. canvas size
- with single images verify image res. == canvas res.

Change-Id: I737451d7f75c0c43c88180a903d5227f1d90cec1
---
 src/demux/demux.c | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/demux/demux.c b/src/demux/demux.c
index bd17ff7f..8c2250d6 100644
--- a/src/demux/demux.c
+++ b/src/demux/demux.c
@@ -597,6 +597,25 @@ static int IsValidSimpleFormat(const WebPDemuxer* const dmux) {
   return 1;
 }
 
+// If 'exact' is true, check that the image resolution matches the canvas.
+// If 'exact' is false, check that the x/y offsets do not exceed the canvas.
+static int CheckFrameBounds(const Frame* const frame, int exact,
+                            int canvas_width, int canvas_height) {
+  if (exact) {
+    if (frame->x_offset_ != 0 || frame->y_offset_ != 0) {
+      return 0;
+    }
+    if (frame->width_ != canvas_width || frame->height_ != canvas_height) {
+      return 0;
+    }
+  } else {
+    if (frame->x_offset_ < 0 || frame->y_offset_ < 0) return 0;
+    if (frame->width_ + frame->x_offset_ > canvas_width) return 0;
+    if (frame->height_ + frame->y_offset_ > canvas_height) return 0;
+  }
+  return 1;
+}
+
 static int IsValidExtendedFormat(const WebPDemuxer* const dmux) {
   const int has_fragments = !!(dmux->feature_flags_ & FRAGMENTS_FLAG);
   const int has_frames = !!(dmux->feature_flags_ & ANIMATION_FLAG);
@@ -620,7 +639,6 @@ static int IsValidExtendedFormat(const WebPDemuxer* const dmux) {
 
       if (!has_fragments && f->is_fragment_) return 0;
       if (!has_frames && f->frame_num_ > 1) return 0;
-      if (f->x_offset_ < 0 || f->y_offset_ < 0) return 0;
       if (f->complete_) {
         if (alpha->size_ == 0 && image->size_ == 0) return 0;
         // Ensure alpha precedes image bitstream.
@@ -642,6 +660,12 @@ static int IsValidExtendedFormat(const WebPDemuxer* const dmux) {
         if (f->next_ != NULL) return 0;
       }
 
+      if (f->width_ > 0 && f->height_ > 0 &&
+          !CheckFrameBounds(f, !(has_frames || has_fragments),
+                            dmux->canvas_width_, dmux->canvas_height_)) {
+        return 0;
+      }
+
       fragment_count += f->is_fragment_;
       ++frame_count;
     }