packages/libwebp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libwebp/libwebp-fix-riff-size-checks.patch
t_feng 62ceef35b2 fix fuzz
2020-03-13 22:25:17 +08:00

59 lines
2.1 KiB
Diff
Raw Blame History

From 706ff9c325d755060a22a20af336ef913b8c5bac Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Thu, 14 Jun 2018 00:03:34 -0700
Subject: [PATCH] muxread,CreateInternal: fix riff size checks
previously when adjusting size down based on a smaller riff_size the
checks were insufficient to prevent 'size -= RIFF_HEADER_SIZE' from
rolling over causing ChunkVerifyAndAssign to over read. the new checks
are imported from demux.c.
BUG=webp:386
---
src/mux/muxread.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/src/mux/muxread.c b/src/mux/muxread.c
index 0b55286..eb5070b 100644
--- a/src/mux/muxread.c
+++ b/src/mux/muxread.c
@@ -187,7 +187,7 @@ WebPMux* WebPMuxCreateInternal(const WebPData* bitstream, int copy_data,
size = bitstream->size;
if (data == NULL) return NULL;
- if (size < RIFF_HEADER_SIZE) return NULL;
+ if (size < RIFF_HEADER_SIZE + CHUNK_HEADER_SIZE) return NULL;
if (GetLE32(data + 0) != MKFOURCC('R', 'I', 'F', 'F') ||
GetLE32(data + CHUNK_HEADER_SIZE) != MKFOURCC('W', 'E', 'B', 'P')) {
return NULL;
@@ -196,8 +196,6 @@ WebPMux* WebPMuxCreateInternal(const WebPData* bitstream, int copy_data,
mux = WebPMuxNew();
if (mux == NULL) return NULL;
- if (size < RIFF_HEADER_SIZE + TAG_SIZE) goto Err;
-
tag = GetLE32(data + RIFF_HEADER_SIZE);
if (tag != kChunks[IDX_VP8].tag &&
tag != kChunks[IDX_VP8L].tag &&
@@ -206,12 +204,11 @@ WebPMux* WebPMuxCreateInternal(const WebPData* bitstream, int copy_data,
}
riff_size = SizeWithPadding(GetLE32(data + TAG_SIZE));
- if (riff_size > MAX_CHUNK_PAYLOAD || riff_size > size) {
- goto Err;
- } else {
- if (riff_size < size) { // Redundant data after last chunk.
- size = riff_size; // To make sure we don't read any data beyond mux_size.
- }
+ if (riff_size < CHUNK_HEADER_SIZE) goto Err;
+ if (riff_size > MAX_CHUNK_PAYLOAD || riff_size > size) goto Err;
+ // There's no point in reading past the end of the RIFF chunk.
+ if (size > riff_size + CHUNK_HEADER_SIZE) {
+ size = riff_size + CHUNK_HEADER_SIZE;
}
end = data + size;
--
2.19.1
Reference in New Issue View Git Blame Copy Permalink