diff options
-rw-r--r-- | third_party/libwebp/README.chromium | 3 | ||||
-rw-r--r-- | third_party/libwebp/dec/webp.c | 33 | ||||
-rw-r--r-- | third_party/libwebp/demux/demux.c | 26 |
3 files changed, 53 insertions, 9 deletions
diff --git a/third_party/libwebp/README.chromium b/third_party/libwebp/README.chromium index 94ca1cf..63b625c 100644 --- a/third_party/libwebp/README.chromium +++ b/third_party/libwebp/README.chromium @@ -20,3 +20,6 @@ Local changes: * Removed examples/, documentation and build related files, keeping only the contents of src/ less mux/ which is unused. * Merged COPYING/PATENTS to LICENSE +Cherry-picks: + f626fe2 Detect canvas and image size mismatch in decoder. + f5fbdee demux: stricter image bounds check diff --git a/third_party/libwebp/dec/webp.c b/third_party/libwebp/dec/webp.c index 97e79b6..e4fe73d 100644 --- a/third_party/libwebp/dec/webp.c +++ b/third_party/libwebp/dec/webp.c @@ -286,6 +286,10 @@ static VP8StatusCode ParseHeadersInternal(const uint8_t* data, int* const has_alpha, int* const has_animation, WebPHeaderStructure* const headers) { + int canvas_width = 0; + int canvas_height = 0; + int image_width = 0; + int image_height = 0; int found_riff = 0; int found_vp8x = 0; VP8StatusCode status; @@ -308,19 +312,25 @@ static VP8StatusCode ParseHeadersInternal(const uint8_t* data, // Skip over VP8X. { uint32_t flags = 0; - status = ParseVP8X(&data, &data_size, &found_vp8x, width, height, &flags); + int animation_present; + status = ParseVP8X(&data, &data_size, &found_vp8x, + &canvas_width, &canvas_height, &flags); if (status != VP8_STATUS_OK) { return status; // Wrong VP8X / insufficient data. } + animation_present = !!(flags & ANIMATION_FLAG); if (!found_riff && found_vp8x) { // Note: This restriction may be removed in the future, if it becomes // necessary to send VP8X chunk to the decoder. return VP8_STATUS_BITSTREAM_ERROR; } if (has_alpha != NULL) *has_alpha = !!(flags & ALPHA_FLAG); - if (has_animation != NULL) *has_animation = !!(flags & ANIMATION_FLAG); - if (found_vp8x && headers == NULL) { - return VP8_STATUS_OK; // Return features from VP8X header. + if (has_animation != NULL) *has_animation = animation_present; + + if (found_vp8x && animation_present && headers == NULL) { + if (width != NULL) *width = canvas_width; + if (height != NULL) *height = canvas_height; + return VP8_STATUS_OK; // Just return features from VP8X header. } } @@ -351,8 +361,8 @@ static VP8StatusCode ParseHeadersInternal(const uint8_t* data, return VP8_STATUS_NOT_ENOUGH_DATA; } // Validates raw VP8 data. - if (!VP8GetInfo(data, data_size, - (uint32_t)hdrs.compressed_size, width, height)) { + if (!VP8GetInfo(data, data_size, (uint32_t)hdrs.compressed_size, + &image_width, &image_height)) { return VP8_STATUS_BITSTREAM_ERROR; } } else { @@ -360,11 +370,18 @@ static VP8StatusCode ParseHeadersInternal(const uint8_t* data, return VP8_STATUS_NOT_ENOUGH_DATA; } // Validates raw VP8L data. - if (!VP8LGetInfo(data, data_size, width, height, has_alpha)) { + if (!VP8LGetInfo(data, data_size, &image_width, &image_height, has_alpha)) { return VP8_STATUS_BITSTREAM_ERROR; } } - + // Validates image size coherency. TODO(urvang): what about FRGM? + if (found_vp8x) { + if (canvas_width != image_width || canvas_height != image_height) { + return VP8_STATUS_BITSTREAM_ERROR; + } + } + if (width != NULL) *width = image_width; + if (height != NULL) *height = image_height; if (has_alpha != NULL) { // If the data did not contain a VP8X/VP8L chunk the only definitive way // to set this is by looking for alpha data (from an ALPH chunk). diff --git a/third_party/libwebp/demux/demux.c b/third_party/libwebp/demux/demux.c index bd17ff7..8c2250d 100644 --- a/third_party/libwebp/demux/demux.c +++ b/third_party/libwebp/demux/demux.c @@ -597,6 +597,25 @@ static int IsValidSimpleFormat(const WebPDemuxer* const dmux) { return 1; } +// If 'exact' is true, check that the image resolution matches the canvas. +// If 'exact' is false, check that the x/y offsets do not exceed the canvas. +static int CheckFrameBounds(const Frame* const frame, int exact, + int canvas_width, int canvas_height) { + if (exact) { + if (frame->x_offset_ != 0 || frame->y_offset_ != 0) { + return 0; + } + if (frame->width_ != canvas_width || frame->height_ != canvas_height) { + return 0; + } + } else { + if (frame->x_offset_ < 0 || frame->y_offset_ < 0) return 0; + if (frame->width_ + frame->x_offset_ > canvas_width) return 0; + if (frame->height_ + frame->y_offset_ > canvas_height) return 0; + } + return 1; +} + static int IsValidExtendedFormat(const WebPDemuxer* const dmux) { const int has_fragments = !!(dmux->feature_flags_ & FRAGMENTS_FLAG); const int has_frames = !!(dmux->feature_flags_ & ANIMATION_FLAG); @@ -620,7 +639,6 @@ static int IsValidExtendedFormat(const WebPDemuxer* const dmux) { if (!has_fragments && f->is_fragment_) return 0; if (!has_frames && f->frame_num_ > 1) return 0; - if (f->x_offset_ < 0 || f->y_offset_ < 0) return 0; if (f->complete_) { if (alpha->size_ == 0 && image->size_ == 0) return 0; // Ensure alpha precedes image bitstream. @@ -642,6 +660,12 @@ static int IsValidExtendedFormat(const WebPDemuxer* const dmux) { if (f->next_ != NULL) return 0; } + if (f->width_ > 0 && f->height_ > 0 && + !CheckFrameBounds(f, !(has_frames || has_fragments), + dmux->canvas_width_, dmux->canvas_height_)) { + return 0; + } + fragment_count += f->is_fragment_; ++frame_count; } |