The available size was not checked before parsing the VP8X data
BUG=oss-fuzz:9100,oss-fuzz:9123
Change-Id: I0143cc4554883c1015e2f084a0e371229e04a8ca
(cherry picked from commit 95fd65070662e01cc9170c4444f5c0859a710097)
idec_dec.c, DecodeRemaining: Set decoder state to ERROR to prevent VP8ExitCritical to be called again
Change-Id: Id5f893f45c348e1c529680d930e640f780a73d4c
(cherry picked from commit 9e729fe19bb60f4ecac357a3d3f5c5c64dd080d2)
CopyBlock8b() was over-using memcpy() of 16b values.
BUG=webp:393
Change-Id: Id56f10d334b9a453fbcf50dabfaa63529bcff7e5
(cherry picked from commit 211f37ee633aa31c37160c84cc9b868c10fbe8b9)
treat an ANMF chunk containing multiple VP8/VP8L file as malformed.
fixes a WebPMuxImage::img_ leak.
Though the invalid free in #9106 was avoided in (ubsan):
be738c6d muxread,ChunkVerifyAndAssign: validate chunk_size
that file would still cause a leak similar to #9099.
BUG=oss-fuzz:9099,oss-fuzz:9106
Change-Id: Ib873446a1188afeeb2fe5d53a86b75e0c5de9573
(cherry picked from commit eb82ce76ddca13ad6fb13376bb58b9fd3f850e9e)
(we also limit radius based on height too, for good measure, although it's not an asan bug)
fixes oss-fuzz issue #9105
Change-Id: Ie0d79dd81480dc4e2b653b7e992e5cdcd3dfa834
(cherry picked from commit 1344a2e947c749d231141a295327e5b99b444d63)
before accounting for padding which might overflow if chunk_size is >
MAX_CHUNK_PAYLOAD.
BUG=webp:387,webp:388
Change-Id: I3985b8817ed4faaec0629102c5333c228a0e9c98
(cherry picked from commit be738c6d396fa5a272c1b209be4379a7532debfe)
previously when adjusting size down based on a smaller riff_size the
checks were insufficient to prevent 'size -= RIFF_HEADER_SIZE' from
rolling over causing ChunkVerifyAndAssign to over read. the new checks
are imported from demux.c.
BUG=webp:386
Change-Id: If863c4a9892977b9ade7dd894392a0ecae13775c
(cherry picked from commit 2c70ad76c94db5427d37ab4b85dc89b94dd75e01)
with loop_compatibility disabled (the default), non-zero loop counts
will be incremented by 1 for browser rendering compatibility. the max,
65535, is a special case as the muxer will fail if it is exceeded; avoid
increasing the limit in this case. this isn't 100% correct, but should
be close enough given the high number of iterations.
BUG=webp:382
Change-Id: Icde3e98a58e9ee89604a72fafda30ab71060dec5
(cherry picked from commit af0e4fbb0669026659983691a15dad23a9f196c1)
the interpretation of a 0 duration depends on the implementation;
merging of multiple frames isn't guaranteed, some may enforce a minimum
duration.
BUG=webp:380
Change-Id: Idf592049d2092e4cc5cfb2e4c59ddbc91bd52f9c
(cherry picked from commit 71c39a06c83b7bfbee136fd40ac710bdda3a237c)
this internalizes the init checks and provides stronger synchronization
with pthreads when available while still allowing VP8GetCPUInfo to be
modified (mostly for testing purposes). windows is left as is since a
critical section or mutex would cause a leak.
Change-Id: Ieb997e014f2805c0ae39c16f13337663521356f4
(cherry picked from commit d77bf512bd0c4ff53019e357a2d24f6c4e3fbefc)
the 'accum' variable can be larger than 15b for large
rescale values.
Assert triggered:
src/dsp/rescaler_sse2.c:249: RescalerExportRowExpand_SSE2: Assertion `v >= 0 && v <= 255' failed.
src/dsp/rescaler_sse2.c:350: RescalerExportRowShrink_SSE2: Assertion `v >= 0 && v <= 255' failed.
-> fall back to C implementation in this case for now
Change-Id: I7ea1cb72301cafc1459be403f6a6f4e3cbc89bb1
bits-per-pixel were intended, not bytes-per-pixel
Change-Id: I023349013ac5956154ab4526bd1e195dfe95b8ab
(cherry picked from commit e122e511cf091bb31d7f42503497029abc60256c)
Also fix the bug where near lossless was not used
and allow examples to be built by default.
Change-Id: Ieb5ef77fafe83f3776ff4fd27a6d26534c7a51f3
(cherry picked from commit e155dda0cc110bcf36f9157d15cb355f7d102732)
this prevents unknown escapes containing '-'s getting stripped on OS X
when a tty targeted font is used
Change-Id: I11d77f2984d9fd67a8b22948fb21e4c11396aec4
This is to harmonize the -h/-version options on all our examples.
+ added GetAnimatedImageVersions() method to anim_util.*
Change-Id: I2304a1c29e310682e97f236d3867274a192a7a09
Control Flow Integrity [1] indirect call checking verifies that function
pointers only call valid functions with a matching type signature. This
change eliminates function pointer casts that were causing cfi-icall
failures.
[1] https://www.chromium.org/developers/testing/control-flow-integrity
BUG=chromium:827826
Change-Id: I5db021d06390a6cefd670fdd2f0d34c9e530465e
(cherry picked from commit 978eec2507e3b5110bd1d2a408fa27a8f7e702cf)
this is consistent with web browser behavior as well as various
transcoding tools (ffmpeg, gif2apng, etc).
also: update anim_diff to account for this new behaviour.
BUG=webp:379
Change-Id: I70cc72a6b401ef32b73cd182a3f12d993d495bf4
Output is <.1% difference in size, randomly.
Speed is 30-50% faster (-m 0 -sharp_yuv).
It also gives the exact same output on ARM and x86, because floats
are no longer used.
Change-Id: Id0f0aa748cc4fc0b82bac1fc5ca954775a0a1b7c
this quiets a -Wclobbered warning on const has_alpha under gcc-7 and
brings the variables closer to their first use.
Change-Id: I8a24f275b7ff34a94d47b576bcf276dbedac2121
