Skip to content

Commit

Permalink
[Backport] Security bug 1455619
Browse files Browse the repository at this point in the history
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/webm/libwebp/+/4634862:
EncodeAlphaInternal: add missing error check

VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown.
If that allocation fails, VP8LBitWriterNumBytes() will return a size
larger than the current allocation resulting in a heap overwrite of the
missing bytes.

==13==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61900005b880 at pc 0x00000049ffc1 bp 0x7fff144f5b40 sp 0x7fff144f5310
READ of size 1028 at 0x61900005b880 thread T0
    #0 0x49ffc0 in __asan_memcpy
    #1 0x695861 in VP8BitWriterAppend src/utils/bit_writer_utils.c:186:3
    #2 0x65acf9 in EncodeAlphaInternal src/enc/alpha_enc.c:169:14

Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz).

This is the same issue that was fixed in the non-alpha lossless path in:
d49cfbb3 vp8l_enc,WriteImage: add missing error check

Bug: chromium:1455619
Change-Id: I6bd10de213707d3d6b7ce3d0d2b3942af45d317f
(cherry picked from commit c3bd7cff2e57b4bf1b744e70dd379570d83fb0e4)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/499078
Reviewed-by: Allan Sandfeld Jensen <[email protected]>
  • Loading branch information
jzern authored and mibrunin committed Aug 25, 2023
1 parent c6b912e commit 6c0188f
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions chromium/third_party/libwebp/src/src/enc/alpha_enc.c
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,11 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height,
!reduce_levels, &tmp_bw, &result->stats);
if (ok) {
output = VP8LBitWriterFinish(&tmp_bw);
if (tmp_bw.error_) {
VP8LBitWriterWipeOut(&tmp_bw);
memset(&result->bw, 0, sizeof(result->bw));
return 0;
}
output_size = VP8LBitWriterNumBytes(&tmp_bw);
if (output_size > data_size) {
// compressed size is larger than source! Revert to uncompressed mode.
Expand Down

0 comments on commit 6c0188f

Please sign in to comment.