From fa6f56496a442eed59b103250021e4b14ebf1427 Mon Sep 17 00:00:00 2001
From: Jonathan Grant <jgrantinfotech@gmail.com>
Date: Sat, 13 Jan 2024 20:23:26 +0000
Subject: [PATCH] BuildHuffmanTable: add an assert for offset[] bounds

And provide a clear comment explaining why the index of offset[] is
always checked within bounds.

Bug:webp:622
Change-Id: Id9b973a804b74c53dfb291f1a9dae649c0daed9d
---
 src/utils/huffman_utils.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
index b3f93a0f..ca7bafd5 100644
--- a/src/utils/huffman_utils.c
+++ b/src/utils/huffman_utils.c
@@ -124,8 +124,12 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
     const int symbol_code_length = code_lengths[symbol];
     if (code_lengths[symbol] > 0) {
       if (sorted != NULL) {
-        if(offset[symbol_code_length] >= code_lengths_size) {
-            return 0;
+        assert(offset[symbol_code_length] < code_lengths_size);
+        // The following check is not redundant with the assert. It prevents a
+        // potential buffer overflow that the optimizer might not be able to
+        // rule out on its own.
+        if (offset[symbol_code_length] >= code_lengths_size) {
+          return 0;
         }
         sorted[offset[symbol_code_length]++] = symbol;
       } else {