Commit Graph

3791 Commits

Author SHA1 Message Date
Vincent Rabaud
ef52aca922 Limit memory allocation when reading invalid Huffman codes.
This is a backported fix for: CVE-2020-36332

This is a merge of:
dce5d76431
39cb9aad85
067031eaed

Change-Id: Iab84d2ca459327cdcee1038499842d30370fe486
2023-10-09 16:24:38 +02:00
Vincent Rabaud
e194928e8b Modernize CMake.
This is mostly to be compliant with Cmake CI tests.

Change-Id: I4bb20d7f93b3808bbb1374cef4fd4cb9767e91e0
2023-10-09 16:24:38 +02:00
James Zern
5357804f52 EncodeAlphaInternal: clear result->bw on error
This avoids a double free should the function fail prior to
VP8BitWriterInit() and a previous trial result's buffer carried over.
Previously in ApplyFiltersAndEncode() trial.bw (with a previous
iteration's buffer) would be freed, followed by best.bw pointing to the
same buffer.

Since:
187d379d add a fallback to ALPHA_NO_COMPRESSION

In addition, check the return value of VP8BitWriterInit() in this
function.

Bug: webp:603
Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
(cherry picked from commit a486d800b6)
2023-02-28 00:27:13 +00:00
James Zern
5c0690bc75 GetBackwardReferences: fail on alloc error
previously failures in the call to
VP8LBackwardReferencesTraceBackwards() would be ignored which, though it
wouldn't result in a crash, would produce non-deterministic output

Change-Id: Id9890a60883c3270ec75e968506d46eea32b76d4
(cherry picked from commit e3cfafaf71)
(cherry picked from commit 20ef03ee35)
(cherry picked from commit 89e226a3c7)
2022-04-06 21:57:08 -07:00
James Zern
91cc4e377f BackwardReferencesHashChainDistanceOnly: fix segfault on OOM
change CostManager to calloc to avoid frees on undefined pointer
values in CostManagerClear() should the cost_model allocation succeed,
but the cost_manager allocation fail

since:
v0.5.0-93-g3e023c17 Speed-up BackwardReferencesHashChainDistanceOnly.

Tested:
for i in `seq 1 639`; do
  export MALLOC_FAIL_AT=$i
  ./examples/cwebp -m 6 -q 100 -lossless jpeg_file
done

Bug: webp:565
Change-Id: I376d81e6f41eb73529053e9e30c142b4b4f6b45b
(cherry picked from commit a828a59b49)
(cherry picked from commit dd80bb4343)
(cherry picked from commit 4d0964cd0c)
2022-04-06 21:57:08 -07:00
James Zern
c0299b779c VP8LEncodeStream: fix segfault on OOM
initialize bw_side before calling EncoderAnalyze() & EncoderInit() which
may fail; previously this would cause a free of an invalid pointer in
VP8LBitWriterWipeOut().

since at least:
v0.6.0-120-gf8c2ac15 Multi-thread the lossless cruncher.

Tested:
for i in `seq 1 639`; do
  export MALLOC_FAIL_AT=$i
  ./examples/cwebp -m 6 -q 100 -lossless jpeg_file
done

Bug: webp:565
Change-Id: I1c95883834b6e4b13aee890568ce3bad0f4266f0
(cherry picked from commit fe153fae98)
(cherry picked from commit ddd65f0d19)
(cherry picked from commit 5d805f7205)
2022-04-06 21:57:08 -07:00
James Zern
36fa3a48f7 alpha_processing_neon.c: fix 0x01... typo
one instance was overlong leading to a int64->uint32 conversion warning

Change-Id: I56d5ab75d89960c79293f62cd489d7ab519bbc34
(cherry picked from commit 03d1219055)
2022-03-08 19:38:13 +00:00
James Zern
6debf34c54 alpha_processing_neon.c: fix Dispatch/ExtractAlpha_NEON
the trailing width % 8 bytes would clear the upper bytes of
alpha_mask as they're done one at a time

since:
49d0280d NEON: implement several alpha-processing functions

Change-Id: Iff76c0af3094597285a6aa6ed032b345f9856aae
(cherry picked from commit 924e7ca654)
2022-03-03 18:07:34 +00:00
Vincent Rabaud
f9298cb8b4 Make sure partition #0 is read before VP8 data in IDecode.
BUG=oss-fuzz:9186,webp:512

Change-Id: Ie0b264b6422774343206ddba3c2820a0cf37ffc0
(cherry picked from commit 5f0f5c07c4)
(cherry picked from commit 99d0790233)
2021-03-23 17:09:21 -07:00
Pascal Massimino
2cb7701480 fix read-overflow while parsing VP8X chunk
The available size was not checked before parsing the VP8X data

BUG=oss-fuzz:9100,oss-fuzz:9123,webp:512

Change-Id: I0143cc4554883c1015e2f084a0e371229e04a8ca
(cherry picked from commit 95fd650706)
(cherry picked from commit c0226fd91c)
2021-03-23 17:09:16 -07:00
Yannis Guyon
35de4be698 Fix VP8IoTeardownHook being called twice on worker sync failure
idec_dec.c, DecodeRemaining: Set decoder state to ERROR to prevent VP8ExitCritical to be called again

BUG=webp:512

Change-Id: Id5f893f45c348e1c529680d930e640f780a73d4c
(cherry picked from commit 9e729fe19b)
(cherry picked from commit a14e0f6465)
2021-03-23 17:09:08 -07:00
Pascal Massimino
641fbb5e89 fix endian problems in pattern copy
CopyBlock8b() was over-using memcpy() of 16b values.

BUG=webp:393,webp:512

Change-Id: Id56f10d334b9a453fbcf50dabfaa63529bcff7e5
(cherry picked from commit 211f37ee63)
(cherry picked from commit 667d17a8a4)
2021-03-23 17:09:03 -07:00
James Zern
b5e0b231c1 muxread,anmf: fail on multiple image chunks
treat an ANMF chunk containing multiple VP8/VP8L file as malformed.
fixes a WebPMuxImage::img_ leak.

Though the invalid free in #9106 was avoided in (ubsan):
be738c6d muxread,ChunkVerifyAndAssign: validate chunk_size
that file would still cause a leak similar to #9099.

BUG=oss-fuzz:9099,oss-fuzz:9106,webp:512

Change-Id: Ib873446a1188afeeb2fe5d53a86b75e0c5de9573
(cherry picked from commit eb82ce76dd)
(cherry picked from commit f4cf238a41)
2021-03-23 17:08:55 -07:00
Pascal Massimino
2ccbb406e1 fix alpha-filtering crash when image width is larger than radius
(we also limit radius based on height too, for good measure, although it's not an asan bug)

fixes oss-fuzz issue #9105

BUG=webp:512

Change-Id: Ie0d79dd81480dc4e2b653b7e992e5cdcd3dfa834
(cherry picked from commit 1344a2e947)
(cherry picked from commit 61ff26aeeb)
2021-03-23 17:08:47 -07:00
James Zern
47768596f6 muxread,ChunkVerifyAndAssign: validate chunk_size
before accounting for padding which might overflow if chunk_size is >
MAX_CHUNK_PAYLOAD.

BUG=webp:387,webp:388,webp:512

Change-Id: I3985b8817ed4faaec0629102c5333c228a0e9c98
(cherry picked from commit be738c6d39)
(cherry picked from commit 6f643f2417)
2021-03-23 17:08:41 -07:00
James Zern
12669892f6 muxread,CreateInternal: fix riff size checks
previously when adjusting size down based on a smaller riff_size the
checks were insufficient to prevent 'size -= RIFF_HEADER_SIZE' from
rolling over causing ChunkVerifyAndAssign to over read. the new checks
are imported from demux.c.

BUG=webp:386,webp:512

Change-Id: If863c4a9892977b9ade7dd894392a0ecae13775c
(cherry picked from commit 2c70ad76c9)
(cherry picked from commit 706ff9c325)
2021-03-23 17:08:35 -07:00
Yannis Guyon
528c8909ef Fix for thread race heap-use-after-free
BUG=webp:385,webp:512

Change-Id: I3a300b45ccae33470888cf2e35a7e937579c9409
(cherry picked from commit 569001f19f)
(cherry picked from commit a0b85e4a36)
2021-03-23 17:08:30 -07:00
Pascal Massimino
16fc937d2e fix invalid check for buffer size
BUG=webp:383,webp:512

Change-Id: I8ebbb5ca4860d73c3b59b12e238b54a89184bed0
(cherry picked from commit 71ed73cf86)
(cherry picked from commit dad31750e3)
2021-03-23 17:08:25 -07:00
James Zern
1f14632a18 gif2webp: fix transcode of loop count=65535
with loop_compatibility disabled (the default), non-zero loop counts
will be incremented by 1 for browser rendering compatibility. the max,
65535, is a special case as the muxer will fail if it is exceeded; avoid
increasing the limit in this case. this isn't 100% correct, but should
be close enough given the high number of iterations.

BUG=webp:382,webp:512

Change-Id: Icde3e98a58e9ee89604a72fafda30ab71060dec5
(cherry picked from commit af0e4fbb06)
(cherry picked from commit 4b282e13ad)
2021-03-23 17:08:16 -07:00
Pascal Massimino
dcf860bad1 Import,RGBA: fix for BigEndian import
+ simplification of the logic

Change-Id: Ia20ce844793ed35ea03a17cef45838f3d0ae4afa
(cherry picked from commit 3b07d32712)
2018-02-18 20:29:30 -08:00
Pascal Massimino
ab7b23e93c ReadWebP: fix for big-endian
Change-Id: I36b3c12ccf02eb5dad350c460387c0528fff8df3
(cherry picked from commit 3005237a5d)
2018-02-18 20:29:24 -08:00
James Zern
6b7a95fd83 update ChangeLog
Change-Id: I868b7680164ddc712233acc8607a8dfb6b3a4cbe
2017-11-28 12:01:56 -08:00
Pascal Massimino
f66955de5f WEBP_REDUCE_CSP: restrict colorspace support
only supported ones are: RGBA/BGRA/rgbA/bgrA (decoder)
as well as: WebPPictureImportRGB/RGBX/RGBA (encoder).

(note: extras/get_disto is affected too)

Change-Id: If6c4f95054ca15759c4e289fb3b4c352b3521c2c
(cherry picked from commit 6de20df02c)
2017-11-28 00:15:15 -08:00
James Zern
a289d8e774 update ChangeLog
Change-Id: Ia1e4669e6270faa6daae6306f47baa31488f119d
2017-11-25 19:01:58 -08:00
James Zern
c10a493caf vwebp: disable double buffering on windows & mac
this results in flickering with animated webp + alpha. disabling the
option is a workaround to restore the behavior to the previous release.

BUG=webp:365

Change-Id: Iac7fcc0d483837e76cc54ad3f26c4e0e5511e31d
2017-11-25 18:22:39 -08:00
James Zern
0d4466c2b4 webp_to_sdl.c: fix file mode
Change-Id: I1ca8506d40a60cd6db7f6f0d63a4431848bb0ea9
2017-11-25 13:52:03 -08:00
Pascal Massimino
1b27bf8b76 WEBP_REDUCE_SIZE: disable all rescaler code
BUG=webp:355

Change-Id: Id87cb11902e3fb8544a214308526ea9665ce8440
(cherry picked from commit 0df22b9eed)
2017-11-24 22:40:15 -08:00
James Zern
126be10950 webpinfo: add -version option
Change-Id: I5861d5ccd2119dd6749dc70b65fd145b5a732f98
2017-11-24 14:21:05 -08:00
James Zern
9add62b581 bump version to 0.6.1
libwebp{,decoder} - 0.6.1
libwebp libtool - 7.1.0
libwebpdecoder libtool - 3.1.0

mux - 0.4.1
libtool - 3.1.0

demux - 0.3.3
libtool - 2.3.0

Change-Id: If4a95c6e9829d4a608028ee9258b5c2b7af60c37
2017-11-24 21:03:05 +00:00
James Zern
d3e2614493 update NEWS
Change-Id: I66c8abe05b54558030a8555d80010506730ecbe9
2017-11-24 12:21:44 +00:00
James Zern
2edda639b2 README: add webpinfo section
Change-Id: Iee4a4ecbe562d6154f627ba62524cd1871a06564
2017-11-23 23:58:22 -08:00
James Zern
9ca568ef82 Merge "right-size some tables" 2017-11-24 06:28:02 +00:00
Pascal Massimino
31f1995cc5 Merge "SSE2 implementation of HasAlphaXXX" 2017-11-24 06:25:58 +00:00
Pascal Massimino
a80c46bd87 SSE2 implementation of HasAlphaXXX
Change-Id: I2548d9a0c252e20ee3cf5f4be736a3703671ecb4
HasAlpha32b: ~3-4x faster
HasAlpha8b: ~7-8x faster
2017-11-23 15:02:21 +01:00
James Zern
083507f244 right-size some tables
Change-Id: I5e894fd3f0f4b666512108495d8cecb34f65e119
2017-11-23 08:40:58 +00:00
Pascal Massimino
2e5785b233 anim_utils.c: remove warning when !defined(WEBP_HAVE_GIF)
BUG=webp:355
Change-Id: I57d77672260771bb0c2ab3c802388f2d62b1f187
2017-11-23 00:22:33 -08:00
James Zern
b299c47eac add WEBP_REDUCE_SIZE
remove auto-filter (-af) support and make WebPPictureCopy,
WebPPictureIsView, WebPPictureView, WebPPictureCrop, and
WebPPictureRescale noops.

Change-Id: If39d512cc268a0015298a1138dbc94feb86575e5
2017-11-22 17:35:39 -08:00
James Zern
f593d71a64 enc: disable pic->stats/extra_info w/WEBP_DISABLE_STATS
Change-Id: I4ca3fa45710bd6bbe131b2ae047b1e268241657c
2017-11-22 17:04:01 -08:00
James Zern
541179a9a5 Merge "predictor_enc: fix build w/--disable-near-lossless" 2017-11-23 01:02:59 +00:00
James Zern
5755a7ec53 predictor_enc: fix build w/--disable-near-lossless
Change-Id: I0d01cdc77e72663f1cf778e3cf3066cd54aa5439
2017-11-22 15:02:21 -08:00
James Zern
eab5bab74f add WEBP_DISABLE_STATS
use to to make WebPPictureDistortion & WebPPlaneDistortion noops and
clear some ssim code.

Change-Id: I9b50b2318b7a114632e5a237a4002f64e95afbbc
2017-11-22 12:41:17 -08:00
Pascal Massimino
8052c585b3 remove some petty TODOs from vwebp.
they're rather low-prio anyway.

Change-Id: I76dd74fcfb1c974c6f8a074472455d3f0b202e01
2017-11-22 19:22:52 +00:00
Pascal Massimino
c245343dcb move LOAD8x4 and STORE8x2 closer to their use location
Change-Id: I674821732d3e607123070e4bbba87d9359c9a4ec
2017-11-21 23:44:39 -08:00
James Zern
b9e734fd5c dec,cosmetics: normalize function naming style
Change-Id: I33a2d1b4133db7a6d56d506f5c19670f0268cecd
2017-11-21 14:31:34 -08:00
James Zern
c188d546b3 dec: harmonize function suffixes
BUG=webp:355

Change-Id: Iabdfd3fbde906c2e35a7d7c080a8512425eb8ccb
2017-11-21 13:00:25 -08:00
James Zern
28c5ac8104 dec_sse41: harmonize function suffixes
BUG=webp:355

Change-Id: Id55f7b2e6288d1d0885d8451fbc59771222073d6
2017-11-21 12:47:06 -08:00
Pascal Massimino
e65b72a368 Merge "introduce WebPHasAlpha8b and WebPHasAlpha32b" 2017-11-21 06:21:44 +00:00
James Zern
b94cee98fb dec_sse2: remove HE8uv_SSE2
with gcc-4.8, clang-4.0.1/5 this is no faster (actually up to 2x slower)
than the code generated for memset (0x01010... * dst[-1]). shuffles in
sse4 recover a bit, but performance is still down.

Change-Id: Ie85e8353f8ede559d0b05a1d388787fd18ecc80f
2017-11-20 20:34:05 -08:00
Pascal Massimino
44a0ee3fa7 introduce WebPHasAlpha8b and WebPHasAlpha32b
Rewrote WebPPictureHasTransparency() to use them (even for argb).
This is 10% faster, for some reasons.

SSE2 version should be straightforward.
Removes a TODO.

Change-Id: I7ad5848fc5e355e2df505dbcd5a0f42fb6cbab41
2017-11-20 15:20:29 +01:00
Pascal Massimino
aebf59ac50 Merge "WebPPictureAllocARGB: align argb allocation" 2017-11-17 07:27:41 +00:00