Apply "default unsafe" annotation across webputils

Import bounds_safety.h across all of webputils, with one exception being dsp.h, since it's imported by webputils.h in one place. Also prepend WEBP_ASSUME_UNSAFE_INDEXABLE_ABI to every webputil file to indicate to the compiler that every pointer should be treated as __unsafe_indexable. We also need to replace memcpy/memset/memmove with the unsafe variants WEBP_UNSAFE_*, as memcpy/memset/memmove require bounded/sized pointers. With this change, all of libwebputils (and libwebp) should build with -DWEBP_ENABLE_FBOUNDS_SAFETY=true Change-Id: Iad87be0455182d534c074ef6dc1a30fa66b74b6c
2025-08-30 07:42:27 +02:00 · 2025-07-31 23:06:07 +00:00
parent 44257cb826
commit ff87eeecc9
29 changed files with 130 additions and 29 deletions
--- a/src/utils/utils.c
+++ b/src/utils/utils.c
@@ -17,10 +17,13 @@
 #include <stdlib.h>
 #include <string.h>  // for memcpy()

+#include "src/utils/bounds_safety.h"
 #include "src/utils/palette.h"
 #include "src/webp/encode.h"
 #include "src/webp/types.h"

+WEBP_ASSUME_UNSAFE_INDEXABLE_ABI
+
 // If PRINT_MEM_INFO is defined, extra info (like total memory used, number of
 // alloc/free etc) is printed. For debugging/tuning purpose only (it's slow,
 // and not multi-thread safe!).
@@ -228,9 +231,21 @@ void WebPSafeFree(void* const ptr) {

 // Public API functions.

-void* WebPMalloc(size_t size) { return WebPSafeMalloc(1, size); }
+void* WEBP_SINGLE WebPMalloc(size_t size) {
+  // Currently WebPMalloc/WebPFree are declared in src/webp/types.h, which does
+  // not include bounds_safety.h. As such, the "default" annotation for the
+  // pointers they accept/return is __single.
+  //
+  // All callers will need to immediately cast the returned pointer to
+  // WEBP_BIDI_INDEXABLE or WEBP_INDEXABLE via
+  // WEBP_UNSAFE_FORGE_BIDI_INDEXABLE.
+  //
+  // TODO: https://issues.webmproject.org/432511225 - Remove this once we can
+  // annotate WebPMalloc/WebPFree.
+  return WEBP_UNSAFE_FORGE_SINGLE(void*, WebPSafeMalloc(1, size));
+}

-void WebPFree(void* ptr) { WebPSafeFree(ptr); }
+void WebPFree(void* WEBP_SINGLE ptr) { WebPSafeFree(ptr); }

 //------------------------------------------------------------------------------

@@ -239,7 +254,7 @@ void WebPCopyPlane(const uint8_t* src, int src_stride, uint8_t* dst,
  assert(src != NULL && dst != NULL);
  assert(abs(src_stride) >= width && abs(dst_stride) >= width);
  while (height-- > 0) {
-    memcpy(dst, src, width);
+    WEBP_UNSAFE_MEMCPY(dst, src, width);
    src += src_stride;
    dst += dst_stride;
  }