VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.
==3531848==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d000000880 at pc 0x556eddfa1007 bp 0x7ffe434c7a90 sp 0x7ffe434c7260
READ of size 2052 at 0x61d000000880 thread T0
#0 0x556eddfa1006 in __asan_memcpy
#1 0x556eddfeeccf in WebPMemoryWrite src/enc/picture_enc.c:220:5
#2 0x556ede0f9f87 in WriteImage src/enc/vp8l_enc.c:1454:8
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: Ib1c9454c2c51849b0ba58c5347e6bd5b02a12fbe
(cherry picked from commit d49cfbb348)
This avoids a double free should the function fail prior to
VP8BitWriterInit() and a previous trial result's buffer carried over.
Previously in ApplyFiltersAndEncode() trial.bw (with a previous
iteration's buffer) would be freed, followed by best.bw pointing to the
same buffer.
Since:
187d379d add a fallback to ALPHA_NO_COMPRESSION
In addition, check the return value of VP8BitWriterInit() in this
function.
Bug: webp:603
Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
(cherry picked from commit a486d800b6)
This simplifies integration with the Android platform and avoids the
files from being used when a non-NDK build is performed. In that case
Android.bp is preferred.
Change-Id: I6e334cf8b05a19da8452405f5f448f9e4b6e4a40
Use prefix/exec_prefix for includedir/libdir if
CMAKE_INSTALL_{LIBDIR,INCLUDEDIR} are relative and the CMake variable
alone if they're absolute.
This matches what autoconf will produce if a custom --libdir or
--includedir are used.
See also: https://github.com/AOMediaCodec/libavif/issues/1220
Change-Id: I6fbc016c0009ede42e1e5db3a9ee7ae9545d8da0
for fixes to the distance_map pseudo-code, the inverse color transform
description and the num_code_lengths check.
Bug: webp:448
Bug: webp:551
Change-Id: Id7e791b97704dd64bb9519657ce48b92cb457ae4
The prose describing the process was missed in:
44dd765d webp-lossless-bitstream-spec: fix ColorTransform impl
Bug: webp:448
Bug: webp:551
Change-Id: If5fb95103ffedeed113e3ad62510f3a19bfd280e
in the 'Normal Code Length Code' description the number of valid code
lengths is 19, not 18.
Bug: webp:448
Bug: webp:551
Change-Id: Id929604e1d771cb09b2d0ac617e83f21077f21de
'zero alpha pixels' was a bit hard to parse; replace this with something
more explicit
Bug: webp:448
Change-Id: Ifc8c93af5520ffdafc58e3fc311dfb4cb19626e9
this makes the syntax in this document consistent with
webp-lossless-bitstream-spec.txt
[N-M] -> [N..M]
Bug: webp:448
Change-Id: Iebf39eefb7d3c081a3d10e2804ee215c3aed6b79
this is similar to an earlier change for most of the code examples:
7a0a9935 doc/*.txt: restrict code to 69 columns
some renderers may limit output to 72 and use a 3 space indent; this
avoids overflowing into the margin
Bug: webp:448
Change-Id: I2e8d66f598889c7bd824e911ea01fd70f98a4130
The distance code read from the bitstream is reduced by 1 before doing
the lookup. The prose describing the lookup was correct, the pseudocode
failed to subtract 1 and used x/y instead of xi/yi from the lookup.
Bug: webp:448
Change-Id: I152477b888c26a0473a35373d3d331fddd14237f
Rather than make a copy, requiring an additional lock/unlock only to set
the pointer to itself, pass the address of SharpYuvGetCPUInfo and use it
as a sentinel to avoid updating the pointer.
Change-Id: I22fb467f1659c16805c0d3bc7aaeba6a1bb16dbb
this was removed in:
979c0ebb sharpyuv: add SharpYuvGetCPUInfo
but currently, consumers of sharpyuv_dsp.h depend on the presence of
WEBP_USE_*
Change-Id: I9524aa5ab767a1b46770022220372455a86f198f
This gives a similar structure to libwebp and fixes a bug where passing
NULL to SharpYuvInit() would unconditionally set optimized function
pointers. SharpYuvInit() is left as an undocumented public function and
SharpYuvGetCPUInfo is kept private to serialize updates to the pointer.
Change-Id: Id72fbf3ba5b396367510e3bcd1ee2e4e11b95b8c
when threading is disabled; fixes:
src/enc/analysis_enc.c:429:15: warning: Value stored to 'split_row'
during its initialization is never read [deadcode.DeadStores]
const int split_row = (9 * last_row + 15) >> 4;
^~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~
Change-Id: I2b02173bb8c930ed54360cce5c7b88ecce098d83
* changes:
webp-container-spec: add prose for rendering process
webp-container-spec: note reserved fields MUST be ignored
webp-lossless-bitstream-spec: improve 'small' color table stmt
webp-container-spec: remove redundant sentence
doc/webp-*: fix some punctuation, grammar
webp-container-spec: clarify background color note
webp-container-spec: come too late -> out of order
webp-container-spec: prefer hex literals
webp-container-spec: change SHOULD to MUST w/ANIM chunk
webp-container-spec: add unknown fields MUST be ignored
webp-container-spec: make padding byte=0 a MUST
webp-container-spec: update note on trailing data
webp-container-spec: clarify Chunk Size is in bytes