Fix OOB write in BuildHuffmanTable.

First, BuildHuffmanTable is called to check if the data is valid. If it is and the table is not big enough, more memory is allocated. This will make sure that valid (but unoptimized because of unbalanced codes) streams are still decodable. Bug: chromium:1479274 Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 (cherry picked from commit 902bc91903) (cherry picked from commit 2af26267cd)
vp8l_enc,WriteImage: add missing error check
2025-12-24 05:56:27 +01:00 · 2023-09-07 18:12:56 -07:00 · 2023-06-17 04:49:53 +00:00
1 changed files with 5 additions and 0 deletions
--- a/src/enc/vp8l_enc.c
+++ b/src/enc/vp8l_enc.c
@@ -1449,6 +1449,11 @@ static int WriteImage(const WebPPicture* const pic, VP8LBitWriter* const bw,
  const size_t vp8l_size = VP8L_SIGNATURE_SIZE + webpll_size;
  const size_t pad = vp8l_size & 1;
  const size_t riff_size = TAG_SIZE + CHUNK_HEADER_SIZE + vp8l_size + pad;
+  *coded_size = 0;
+
+  if (bw->error_) {
+    return WebPEncodingSetError(pic, VP8_ENC_ERROR_OUT_OF_MEMORY);
+  }

  if (!WriteRiffHeader(pic, riff_size, vp8l_size) ||
      !pic->writer(webpll_data, webpll_size, pic)) {