First, BuildHuffmanTable is called to check if the data is valid.
If it is and the table is not big enough, more memory is allocated.
This will make sure that valid (but unoptimized because of unbalanced
codes) streams are still decodable.
Bug: chromium:1479274
Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
(cherry picked from commit 902bc91903)
(cherry picked from commit 2af26267cd)
VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900005b880 at pc 0x00000049ffc1 bp 0x7fff144f5b40 sp 0x7fff144f5310
READ of size 1028 at 0x61900005b880 thread T0
#0 0x49ffc0 in __asan_memcpy
#1 0x695861 in VP8BitWriterAppend src/utils/bit_writer_utils.c:186:3
#2 0x65acf9 in EncodeAlphaInternal src/enc/alpha_enc.c:169:14
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
This is the same issue that was fixed in the non-alpha lossless path in:
d49cfbb3 vp8l_enc,WriteImage: add missing error check
Bug: chromium:1455619
Change-Id: I6bd10de213707d3d6b7ce3d0d2b3942af45d317f
(cherry picked from commit c3bd7cff2e)
VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.
==3531848==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d000000880 at pc 0x556eddfa1007 bp 0x7ffe434c7a90 sp 0x7ffe434c7260
READ of size 2052 at 0x61d000000880 thread T0
#0 0x556eddfa1006 in __asan_memcpy
#1 0x556eddfeeccf in WebPMemoryWrite src/enc/picture_enc.c:220:5
#2 0x556ede0f9f87 in WriteImage src/enc/vp8l_enc.c:1454:8
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: Ib1c9454c2c51849b0ba58c5347e6bd5b02a12fbe
(cherry picked from commit d49cfbb348)
This avoids a double free should the function fail prior to
VP8BitWriterInit() and a previous trial result's buffer carried over.
Previously in ApplyFiltersAndEncode() trial.bw (with a previous
iteration's buffer) would be freed, followed by best.bw pointing to the
same buffer.
Since:
187d379d add a fallback to ALPHA_NO_COMPRESSION
In addition, check the return value of VP8BitWriterInit() in this
function.
Bug: webp:603
Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
(cherry picked from commit a486d800b6)
This simplifies integration with the Android platform and avoids the
files from being used when a non-NDK build is performed. In that case
Android.bp is preferred.
Change-Id: I6e334cf8b05a19da8452405f5f448f9e4b6e4a40
Use prefix/exec_prefix for includedir/libdir if
CMAKE_INSTALL_{LIBDIR,INCLUDEDIR} are relative and the CMake variable
alone if they're absolute.
This matches what autoconf will produce if a custom --libdir or
--includedir are used.
See also: https://github.com/AOMediaCodec/libavif/issues/1220
Change-Id: I6fbc016c0009ede42e1e5db3a9ee7ae9545d8da0
for fixes to the distance_map pseudo-code, the inverse color transform
description and the num_code_lengths check.
Bug: webp:448
Bug: webp:551
Change-Id: Id7e791b97704dd64bb9519657ce48b92cb457ae4
The prose describing the process was missed in:
44dd765d webp-lossless-bitstream-spec: fix ColorTransform impl
Bug: webp:448
Bug: webp:551
Change-Id: If5fb95103ffedeed113e3ad62510f3a19bfd280e
in the 'Normal Code Length Code' description the number of valid code
lengths is 19, not 18.
Bug: webp:448
Bug: webp:551
Change-Id: Id929604e1d771cb09b2d0ac617e83f21077f21de
'zero alpha pixels' was a bit hard to parse; replace this with something
more explicit
Bug: webp:448
Change-Id: Ifc8c93af5520ffdafc58e3fc311dfb4cb19626e9
this makes the syntax in this document consistent with
webp-lossless-bitstream-spec.txt
[N-M] -> [N..M]
Bug: webp:448
Change-Id: Iebf39eefb7d3c081a3d10e2804ee215c3aed6b79
this is similar to an earlier change for most of the code examples:
7a0a9935 doc/*.txt: restrict code to 69 columns
some renderers may limit output to 72 and use a 3 space indent; this
avoids overflowing into the margin
Bug: webp:448
Change-Id: I2e8d66f598889c7bd824e911ea01fd70f98a4130
The distance code read from the bitstream is reduced by 1 before doing
the lookup. The prose describing the lookup was correct, the pseudocode
failed to subtract 1 and used x/y instead of xi/yi from the lookup.
Bug: webp:448
Change-Id: I152477b888c26a0473a35373d3d331fddd14237f
Rather than make a copy, requiring an additional lock/unlock only to set
the pointer to itself, pass the address of SharpYuvGetCPUInfo and use it
as a sentinel to avoid updating the pointer.
Change-Id: I22fb467f1659c16805c0d3bc7aaeba6a1bb16dbb
this was removed in:
979c0ebb sharpyuv: add SharpYuvGetCPUInfo
but currently, consumers of sharpyuv_dsp.h depend on the presence of
WEBP_USE_*
Change-Id: I9524aa5ab767a1b46770022220372455a86f198f
This gives a similar structure to libwebp and fixes a bug where passing
NULL to SharpYuvInit() would unconditionally set optimized function
pointers. SharpYuvInit() is left as an undocumented public function and
SharpYuvGetCPUInfo is kept private to serialize updates to the pointer.
Change-Id: Id72fbf3ba5b396367510e3bcd1ee2e4e11b95b8c
when threading is disabled; fixes:
src/enc/analysis_enc.c:429:15: warning: Value stored to 'split_row'
during its initialization is never read [deadcode.DeadStores]
const int split_row = (9 * last_row + 15) >> 4;
^~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~
Change-Id: I2b02173bb8c930ed54360cce5c7b88ecce098d83
