Users of the encoder (including anim_encode.c) and areas of the encoder
itself rely on the status returned via WebPPicture.
Change-Id: Id786176b8ac3b2329d1e41b9dacbb8dcc5d822e4
VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900005b880 at pc 0x00000049ffc1 bp 0x7fff144f5b40 sp 0x7fff144f5310
READ of size 1028 at 0x61900005b880 thread T0
#0 0x49ffc0 in __asan_memcpy
#1 0x695861 in VP8BitWriterAppend src/utils/bit_writer_utils.c:186:3
#2 0x65acf9 in EncodeAlphaInternal src/enc/alpha_enc.c:169:14
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
This is the same issue that was fixed in the non-alpha lossless path in:
d49cfbb3 vp8l_enc,WriteImage: add missing error check
Bug: chromium:1455619
Change-Id: I6bd10de213707d3d6b7ce3d0d2b3942af45d317f
VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.
==3531848==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61d000000880 at pc 0x556eddfa1007 bp 0x7ffe434c7a90 sp 0x7ffe434c7260
READ of size 2052 at 0x61d000000880 thread T0
#0 0x556eddfa1006 in __asan_memcpy
#1 0x556eddfeeccf in WebPMemoryWrite src/enc/picture_enc.c:220:5
#2 0x556ede0f9f87 in WriteImage src/enc/vp8l_enc.c:1454:8
Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).
Change-Id: Ib1c9454c2c51849b0ba58c5347e6bd5b02a12fbe
The histograms count the occurrences of len/dist in entropy images.
Those (at most (1<<14) by (1<<14)) are sub-sampled by at least
MIN_HUFFMAN_BITS == 2, hence at most 24 bits in a histogram value.
At most, we multiply by 19 (because the longest histogram is of
size 40 and we do 40>>1, cf code) for the bit cost. So it all fits
in 32 bits.
Change-Id: Ife24b035f54794851ff31f2fac07901f724c6d7f
This avoids defining a version in each translation unit when using
__declspec(dllexport) which causes failures due to multiply defined
symbols with clang-cl:
lld-link: error: duplicate symbol: VP8GetCPUInfo
>>> defined at CMakeFiles\webpdecode.dir\Debug\src\dec\alpha_dec.c.obj
>>> defined at CMakeFiles\webpdsp.dir\Debug\src\dsp\dec_sse41.c.obj
...
Bug: webp:607
Change-Id: I6cd1ee75b3db984aa513263a05516e867a64925d
This avoids a double free should the function fail prior to
VP8BitWriterInit() and a previous trial result's buffer carried over.
Previously in ApplyFiltersAndEncode() trial.bw (with a previous
iteration's buffer) would be freed, followed by best.bw pointing to the
same buffer.
Since:
187d379d add a fallback to ALPHA_NO_COMPRESSION
In addition, check the return value of VP8BitWriterInit() in this
function.
Bug: webp:603
Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
when threading is disabled; fixes:
src/enc/analysis_enc.c:429:15: warning: Value stored to 'split_row'
during its initialization is never read [deadcode.DeadStores]
const int split_row = (9 * last_row + 15) >> 4;
^~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~
Change-Id: I2b02173bb8c930ed54360cce5c7b88ecce098d83
thread safety was internalized in:
782ed48c sharpyuv,SharpYuvInit: add mutex protection when available
Change-Id: I2877e7bb78bf89ad7504c33d04b22952c0c0a968
the ternary used with alpha_offset was removed in:
3b07d327 Import,RGBA: fix for BigEndian import
use the ALPHA_OFFSET directly
Change-Id: Iee9b7c54f1498591e8c5834766dc4d34a321133d
this localizes the conversion to int in the function; the parameter was
previously changed in:
6ab496ed fix some 'unsigned integer overflow' warnings in ubsan
implicit conversion from type 'uint32_t' (aka 'unsigned int') of value
2350919223 (32-bit, unsigned) to type 'int' changed the value to
-1944048073 (32-bit, signed)
Bug: b/229626362
Change-Id: I589eec11c0dabaeba99e153e705f956181c570d2
in the case of use_argb, alpha_offset may be non-zero which would cause
the null pointer check in CheckNonOpaque to pass
fixes a potential crash with invalid width/height set or an integer
sanitizer warning when passing a zeroed picture:
src/enc/picture_csp_enc.c:73:57: runtime error: applying non-zero offset
3 to null pointer
Change-Id: I9d499bba12c65ad5c65d8f9f3c8ee9298ac6081a
WEBP_REDUCE_SIZE was introduced to bring down the library size by
removing cropping and scaling support. Previously WebPPictureView() was
only used with these two, but in
ec178f2c Add progress hook granularity in lossless
an additional use was added in VP8LEncodeStream() when extra side
configurations are used in crunch mode (-mt, quality == 100 & method ==
6 or quality >= 75 & method == 5 with a palette present currently).
WebPPictureView() and, for coherency, WebPPictureIsView() are
restored in this configuration to avoid affecting the general encode
path.
Previously WebPPictureView() was assumed to always succeed in these
cases which could result in crashes with WEBP_REDUCE_SIZE defined.
Bug: chromium:1345547
Bug: chromium:1345595
Bug: chromium:1345772
Bug: chromium:1345804
Change-Id: Ifecde36a726a434510478a764514b1469942c684
(cherry picked from commit 84163d9d02)
and use it to suppress a false positive related to data that passes
through RGBA32PackedToPlanar_16b_SSE41(). Current versions (tested with
clang 13.0.1, using -O0 and the build from oss-fuzz of enc_dec_fuzzer)
model shuffles incorrectly reporting use of uninitialized
data related to the alpha change that's removed when converting to YUV.
valgrind behaves correctly, however.
Bug: webp:573
Change-Id: If76997668dcdd436adf280a2e6dcffba766a2875
quiets a warning under visual studio:
src\enc\picture_enc.c(48) : warning C4028: formal parameter 1 different
from declaration
Change-Id: Ic3affbbb0e22ac8c43fa183e13506eee72e180dc
- pic->picture in public header
- match implementation to declaration in PictureImport, WebPPictureRescale, WebpBlendAlpha
Change-Id: Ibf3771af22d671bba6fd657684add618c6f32978
Remove unused constants.
Use ALL_CAPS for defines and kCamelCase for static const values.
Change some defines into static constants if they are not used in array sizes.
Change-Id: I036b0f99215fd0414a33f099bd6b809ff8ee4541
1 space is most common in the source; this fixes some mixed cases within
lossless files, likely from clang-format
Change-Id: I504206d5bf418781d4131ee73570ecee4e0a69a1
previously failures in the call to
VP8LBackwardReferencesTraceBackwards() would be ignored which, though it
wouldn't result in a crash, would produce non-deterministic output
Change-Id: Id9890a60883c3270ec75e968506d46eea32b76d4
change CostManager to calloc to avoid frees on undefined pointer
values in CostManagerClear() should the cost_model allocation succeed,
but the cost_manager allocation fail
since:
v0.5.0-93-g3e023c17 Speed-up BackwardReferencesHashChainDistanceOnly.
Tested:
for i in `seq 1 639`; do
export MALLOC_FAIL_AT=$i
./examples/cwebp -m 6 -q 100 -lossless jpeg_file
done
Bug: webp:565
Change-Id: I376d81e6f41eb73529053e9e30c142b4b4f6b45b
initialize bw_side before calling EncoderAnalyze() & EncoderInit() which
may fail; previously this would cause a free of an invalid pointer in
VP8LBitWriterWipeOut().
since at least:
v0.6.0-120-gf8c2ac15 Multi-thread the lossless cruncher.
Tested:
for i in `seq 1 639`; do
export MALLOC_FAIL_AT=$i
./examples/cwebp -m 6 -q 100 -lossless jpeg_file
done
Bug: webp:565
Change-Id: I1c95883834b6e4b13aee890568ce3bad0f4266f0
