33 lines
1.3 KiB
Diff
33 lines
1.3 KiB
Diff
From f4cf238a415542140dfb877d4ddee9a2b11b8183 Mon Sep 17 00:00:00 2001
|
|
From: James Zern <jzern@google.com>
|
|
Date: Fri, 29 Jun 2018 01:12:20 -0700
|
|
Subject: [PATCH] muxread,anmf: fail on multiple image chunks
|
|
|
|
treat an ANMF chunk containing multiple VP8/VP8L file as malformed.
|
|
fixes a WebPMuxImage::img_ leak.
|
|
|
|
Though the invalid free in #9106 was avoided in (ubsan):
|
|
be738c6d muxread,ChunkVerifyAndAssign: validate chunk_size
|
|
that file would still cause a leak similar to #9099.
|
|
|
|
BUG=oss-fuzz:9099,oss-fuzz:9106
|
|
|
|
Change-Id: Ib873446a1188afeeb2fe5d53a86b75e0c5de9573
|
|
(cherry picked from commit eb82ce76ddca13ad6fb13376bb58b9fd3f850e9e)
|
|
---
|
|
src/mux/muxread.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/src/mux/muxread.c b/src/mux/muxread.c
|
|
index ef50dae51..fbe9f0516 100644
|
|
--- a/src/mux/muxread.c
|
|
+++ b/src/mux/muxread.c
|
|
@@ -138,6 +138,7 @@ static int MuxImageParse(const WebPChunk* const chunk, int copy_data,
|
|
wpi->is_partial_ = 1; // Waiting for a VP8 chunk.
|
|
break;
|
|
case WEBP_CHUNK_IMAGE:
|
|
+ if (wpi->img_ != NULL) goto Fail; // Only 1 image chunk allowed.
|
|
if (ChunkSetNth(&subchunk, &wpi->img_, 1) != WEBP_MUX_OK) goto Fail;
|
|
if (!MuxImageFinalize(wpi)) goto Fail;
|
|
wpi->is_partial_ = 0; // wpi is completely filled.
|