The chunk list only has two operations: append and set
to one element. The two operations are split and the append
one is sped up by storing the last element.
Corrupted data could make a very long list to search through.
BUG=oss-fuzz:9190
Change-Id: I1aa813ca629df29efaa3b46dbd4c4c42dbeaa34c
The standard allows for Huffman images with any coefficients.
Hence potentially big memory allocations. The previous workaround
was "trying" things out, the new one is more rigorous and
only allocates what is needed, modifying the Huffman image
to contain the minimal set of coefficients.
BUG=oss-fuzz:8623,oss-fuzz:9111,oss-fuzz:9134
Change-Id: I6a972e90e4ae509c15cb41ee22c58b775fa3f4aa
idec_dec.c, DecodeRemaining: Set decoder state to ERROR to prevent VP8ExitCritical to be called again
Change-Id: Id5f893f45c348e1c529680d930e640f780a73d4c
treat an ANMF chunk containing multiple VP8/VP8L file as malformed.
fixes a WebPMuxImage::img_ leak.
Though the invalid free in #9106 was avoided in (ubsan):
be738c6d muxread,ChunkVerifyAndAssign: validate chunk_size
that file would still cause a leak similar to #9099.
BUG=oss-fuzz:9099,oss-fuzz:9106
Change-Id: Ib873446a1188afeeb2fe5d53a86b75e0c5de9573
(we also limit radius based on height too, for good measure, although it's not an asan bug)
fixes oss-fuzz issue #9105
Change-Id: Ie0d79dd81480dc4e2b653b7e992e5cdcd3dfa834
before accounting for padding which might overflow if chunk_size is >
MAX_CHUNK_PAYLOAD.
BUG=webp:387,webp:388
Change-Id: I3985b8817ed4faaec0629102c5333c228a0e9c98
previously when adjusting size down based on a smaller riff_size the
checks were insufficient to prevent 'size -= RIFF_HEADER_SIZE' from
rolling over causing ChunkVerifyAndAssign to over read. the new checks
are imported from demux.c.
BUG=webp:386
Change-Id: If863c4a9892977b9ade7dd894392a0ecae13775c
with loop_compatibility disabled (the default), non-zero loop counts
will be incremented by 1 for browser rendering compatibility. the max,
65535, is a special case as the muxer will fail if it is exceeded; avoid
increasing the limit in this case. this isn't 100% correct, but should
be close enough given the high number of iterations.
BUG=webp:382
Change-Id: Icde3e98a58e9ee89604a72fafda30ab71060dec5
- 4/2/2018: version 1.0.0
This is a binary compatible release.
* lossy encoder improvements to avoid chroma shifts in various circumstances
(issues #308, #340)
* big-endian fixes for decode, RGBA import and WebPPictureDistortion
Tool updates:
gifwebp, anim_diff - default duration behavior (<= 10ms) changed to match
web browsers, transcoding tools (issue #379)
img2webp, webpmux - allow options to be passed in via a file (issue #355)
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEaw5rcJdt4wPt8vYB+cPWvbgjK10FAlrasfkACgkQ+cPWvbgj
K12DGg//W62o9nLkWK3196sJW57z1/4kPFj3q2syxDfPvgu8A8RcFbLADXxacNsD
l3eR36wIG6VnJlI4DzoPn5uipvJCsDqysNRm4G6zBWc4wmycKBIwDz85i/2kJbG1
bXDK6yICh4Keg3eZq6dprZhSFQzi1MjQKtvfshU+rKC0UxaTzGDfc4qqn9df9468
a6xDrSw5lJ2cQs8BNAeLUJrziXaP1EnJuU1vvH9cDjQqVz02BE/o9EY3Pv8pL26h
3bzTiIf7v0tt0pPdzm+P5nQ0BCKkVVlzIqDn7E4ORZhbFAj3AVJPB3/7Y9YrL6/y
BGl94RNqlrzgCmPtkyTmFkOmIr/rQBgIbqS6KJ1mkS0qfwad/FXaEUAMz3yMO5xO
06NRXLhyREdPS678t9sp+epw+aHcxOgDZzgr8ghSufirSa6og7gyseGq+FHZ7R6d
R0dQknk6xbJc59tdKhVFO1Nc7acQWPzIY9KPmLUA5Ag3ooJFd65jUxQ8icn7NqyZ
+lh3CQhRF0mug9GNHBbtc6xn15mG59nGZp8NWW4UcqHOgzIQuHJS29ZH1j6wO3+O
iEuR3BmuagngN2Dpw+C2XJoT/qrO2GSndLSVJW6QTTCod9RCTZpc0ik6gAmPAgL1
ueYBuhzZyb1Dtdte377fRMfjpOezZUh6G0rFs4yQx9O4SXh/3xY=
=Uvya
-----END PGP SIGNATURE-----
Merge tag 'v1.0.0'
libwebp-1.0.0
- 4/2/2018: version 1.0.0
This is a binary compatible release.
* lossy encoder improvements to avoid chroma shifts in various circumstances
(issues #308, #340)
* big-endian fixes for decode, RGBA import and WebPPictureDistortion
Tool updates:
gifwebp, anim_diff - default duration behavior (<= 10ms) changed to match
web browsers, transcoding tools (issue #379)
img2webp, webpmux - allow options to be passed in via a file (issue #355)
* tag 'v1.0.0': (23 commits)
update ChangeLog
webp-container-spec: correct frame duration=0 note
vwebp: Copy Chrome's behavior w/frame duration == 0
update ChangeLog
add WEBP_DSP_INIT / WEBP_DSP_INIT_FUNC
fix 16b overflow in SSE2
makefile.unix: add DEBUG flag for compiling w/ debug-symbol
cwebp,get_disto: fix bpp output
cmake: Make sure we use near-lossless by default.
fix bug in WebPImport565: alpha value was not set
update ChangeLog
Revert "Use proper targets for CMake."
Use proper targets for CMake.
Remove some very hard TODOs.
{de,}mux/Makefile.am: add missing headers
makefile.unix,dist: use ascii for text output
add -version option to anim_dump,anim_diff and img2webp
webp_js: fix webp_js demo html
update ChangeLog
update AUTHORS
...
Change-Id: I5659406c022a0964f728ce2eb35338fd9c195466
the interpretation of a 0 duration depends on the implementation;
merging of multiple frames isn't guaranteed, some may enforce a minimum
duration.
BUG=webp:380
Change-Id: Idf592049d2092e4cc5cfb2e4c59ddbc91bd52f9c
(cherry picked from commit 71c39a06c83b7bfbee136fd40ac710bdda3a237c)
the interpretation of a 0 duration depends on the implementation;
merging of multiple frames isn't guaranteed, some may enforce a minimum
duration.
BUG=webp:380
Change-Id: Idf592049d2092e4cc5cfb2e4c59ddbc91bd52f9c
this internalizes the init checks and provides stronger synchronization
with pthreads when available while still allowing VP8GetCPUInfo to be
modified (mostly for testing purposes). windows is left as is since a
critical section or mutex would cause a leak.
Change-Id: Ieb997e014f2805c0ae39c16f13337663521356f4
(cherry picked from commit d77bf512bd0c4ff53019e357a2d24f6c4e3fbefc)
this internalizes the init checks and provides stronger synchronization
with pthreads when available while still allowing VP8GetCPUInfo to be
modified (mostly for testing purposes). windows is left as is since a
critical section or mutex would cause a leak.
Change-Id: Ieb997e014f2805c0ae39c16f13337663521356f4
the 'accum' variable can be larger than 15b for large
rescale values.
Assert triggered:
src/dsp/rescaler_sse2.c:249: RescalerExportRowExpand_SSE2: Assertion `v >= 0 && v <= 255' failed.
src/dsp/rescaler_sse2.c:350: RescalerExportRowShrink_SSE2: Assertion `v >= 0 && v <= 255' failed.
-> fall back to C implementation in this case for now
Change-Id: I7ea1cb72301cafc1459be403f6a6f4e3cbc89bb1
bits-per-pixel were intended, not bytes-per-pixel
Change-Id: I023349013ac5956154ab4526bd1e195dfe95b8ab
(cherry picked from commit e122e511cf091bb31d7f42503497029abc60256c)