when referring to the RIFF chunk size; this is more consistent with
other documentation.
Bug: webp:611
Change-Id: Icf05491ee79f5c48fab0b4935da397b4e4e45a71
The serial comma change is based on the Chicago Manual of Style
(CMOS), 17th edition.
Bug: webp:611
Change-Id: Ic02e6652662608414c16e0fead2912781a47633d
ExpandColorMap() can fail due to a memory allocation failure.
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: I868c5db2fee18e876f4aa3b63e744d7297d1a91b
WebPAnimEncoderAdd() may fail due to muxer errors that are reported as
booleans. When running under the nallocfuzz engine, ignore all failures.
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: I36589545d20ac30a67f7e09264146db085dee6ca
Move the details given for meta prefix codes and the transforms from
"5.1. Roles of Image Data" to their corresponding sections.
Bug: webp:611
Change-Id: I750a3f45956d0a3928a22113180a2590ac1a36db
After processing the Color Indexing Transform the image width is
subsampled by the transform's width_bits.
Bug: webp:611
Change-Id: If8d2d47dbe05e5c8085fb3fb4c1b63552be9028b
in AllocateAlphaPlane() and VP8DecompressAlphaRows().
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: I39eb305abfe9f4d7915cce5d91e72917f482bc20
rather than WebPDecodeRGBA(). This allows finer grained error detection
and avoids an abort() when running under the nallocfuzz engine.
Change-Id: I8ff37f2fe7e1c8b39bd4a8bfe7b26ac41149ba42
pic.error_code may be set to VP8_ENC_ERROR_BAD_WRITE if the writer fails
due to a memory allocation failure.
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: I912c9e5f9a37b78832c52d9ab6f0710967fbadac
This is unnecessary as green will have the largest value; the sizes are
currently: 256 + 24 + color_cache_size, 256, 40, in that order.
Change-Id: Ib9ce3292285a7b9c6089557b68a87184b68d17a5
This function may fail due to allocation failures. Use the
NALLOC_FUZZ_VERSION environment variable to detect the engine. This was
added in:
9c9a9883cc
Change-Id: Ia5b6fd9458ffa1f810152a10ab49a48c75d17687
If ReadBits(0) == 0, the value of max_symbol is set to the alphabet size
for each symbol type.
See vp8l_dec.c, ReadHuffmanCode(), which passes alphabet_size to
ReadHuffmanCodeLengths() as num_symbols, and ReadHuffmanCodeLengths()
then sets max_symbol to that.
Bug: webp:611
Change-Id: I662bd1d7f372e7f2e9c71cc86f87aefd02f36647
Make Entropy Image and Interpretation of Meta Prefix Codes their own
section for ease of reference.
Bug: webp:611
Change-Id: I2dba7b4efd02d8bb250810ebff42ac1687262804
follow up to:
29c9f2d4 webp-lossless-bitstream-spec: minor wording updates
Universally use 'transform' over 'transformation'. The doc generally
uses 'transform' to talk about the individual transforms themselves as
well as their related data.
Bug: webp:611
Change-Id: I097701873bbc440bd399ab5440a914a14f7c62f6
The last use of #decoding-the-code-lengths was removed in:
86f94ee0 Update lossless spec with Huffman codes.
Also remove the redundant section header associated with it.
Bug: webp:611
Change-Id: I7f6bb1a1b75255324f185f4591313d9e6d49d1e9
Users of the encoder (including anim_encode.c) and areas of the encoder
itself rely on the status returned via WebPPicture.
Change-Id: Id786176b8ac3b2329d1e41b9dacbb8dcc5d822e4
VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900005b880 at pc 0x00000049ffc1 bp 0x7fff144f5b40 sp 0x7fff144f5310
READ of size 1028 at 0x61900005b880 thread T0
#0 0x49ffc0 in __asan_memcpy
#1 0x695861 in VP8BitWriterAppend src/utils/bit_writer_utils.c:186:3
#2 0x65acf9 in EncodeAlphaInternal src/enc/alpha_enc.c:169:14
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
This is the same issue that was fixed in the non-alpha lossless path in:
d49cfbb3 vp8l_enc,WriteImage: add missing error check
Bug: chromium:1455619
Change-Id: I6bd10de213707d3d6b7ce3d0d2b3942af45d317f
Remove the ambiguous 'should' which in other contexts might result in
questions as to whether it is a SHOULD or a MUST.
Change-Id: I9b396187ebde5ea5a0dbaf42daee6acf541258cd
VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.
==3531848==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d000000880 at pc 0x556eddfa1007 bp 0x7ffe434c7a90 sp 0x7ffe434c7260
READ of size 2052 at 0x61d000000880 thread T0
#0 0x556eddfa1006 in __asan_memcpy
#1 0x556eddfeeccf in WebPMemoryWrite src/enc/picture_enc.c:220:5
#2 0x556ede0f9f87 in WriteImage src/enc/vp8l_enc.c:1454:8
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: Ib1c9454c2c51849b0ba58c5347e6bd5b02a12fbe
This prevents leaks should an allocation fail.
Spotted by Philippe Antoine (p dot antoine at catenacyber dot fr)
and https://github.com/catenacyber/nallocfuzz.
Change-Id: I07a8a475a282b18bf2f9015cc5b1120772babd48
The default was changed from 5MB to 64KB in 3.1.27 [1] causing image
decodes to fail. This restores the old default. In testing, 1536KB was
enough for the sample image, 1024KB was not.
[1]: https://github.com/emscripten-core/emscripten/blob/main/ChangeLog.md#3127---112922
Bug: webp:614
Change-Id: I1ff7afc72fa49d88d2efe88d2a04dfadbea3b1a5
Fixed: webp:614
Test: emcc 3.1.18 & 3.1.41
The buffers are made mandatory to match WebPDecodeYUVInto(), though this
conflicts with WebPIDecGetYUVA().
spotted by Oliver Kunz (okunz at google dot com)
Change-Id: Ic4740c53b75da6b93d4f3462303fb9be0ebfbd48
