- update to 1.3.2:
* security fix for lossless decoder (boo#1215231 CVE-2023-4863) replacing 0001-Fix-OOB-write-in-BuildHuffmanTable.patch OBS-URL: https://build.opensuse.org/package/show/graphics/libwebp?expand=0&rev=38
This commit is contained in:
parent
b311e642b0
commit
9be68b99de
@ -1,361 +0,0 @@
|
|||||||
From 2af26267cdfcb63a88e5c74a85927a12d6ca1d76 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Vincent Rabaud <vrabaud@google.com>
|
|
||||||
Date: Thu, 7 Sep 2023 21:16:03 +0200
|
|
||||||
Subject: [PATCH] Fix OOB write in BuildHuffmanTable.
|
|
||||||
|
|
||||||
First, BuildHuffmanTable is called to check if the data is valid.
|
|
||||||
If it is and the table is not big enough, more memory is allocated.
|
|
||||||
|
|
||||||
This will make sure that valid (but unoptimized because of unbalanced
|
|
||||||
codes) streams are still decodable.
|
|
||||||
|
|
||||||
Bug: chromium:1479274
|
|
||||||
Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741
|
|
||||||
(cherry picked from commit 902bc9190331343b2017211debcec8d2ab87e17a)
|
|
||||||
---
|
|
||||||
src/dec/vp8l_dec.c | 46 ++++++++++---------
|
|
||||||
src/dec/vp8li_dec.h | 2 +-
|
|
||||||
src/utils/huffman_utils.c | 97 +++++++++++++++++++++++++++++++--------
|
|
||||||
src/utils/huffman_utils.h | 27 +++++++++--
|
|
||||||
4 files changed, 129 insertions(+), 43 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
|
|
||||||
index c0ea0181..7995313f 100644
|
|
||||||
--- a/src/dec/vp8l_dec.c
|
|
||||||
+++ b/src/dec/vp8l_dec.c
|
|
||||||
@@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths(
|
|
||||||
int symbol;
|
|
||||||
int max_symbol;
|
|
||||||
int prev_code_len = DEFAULT_CODE_LENGTH;
|
|
||||||
- HuffmanCode table[1 << LENGTHS_TABLE_BITS];
|
|
||||||
+ HuffmanTables tables;
|
|
||||||
|
|
||||||
- if (!VP8LBuildHuffmanTable(table, LENGTHS_TABLE_BITS,
|
|
||||||
- code_length_code_lengths,
|
|
||||||
- NUM_CODE_LENGTH_CODES)) {
|
|
||||||
+ if (!VP8LHuffmanTablesAllocate(1 << LENGTHS_TABLE_BITS, &tables) ||
|
|
||||||
+ !VP8LBuildHuffmanTable(&tables, LENGTHS_TABLE_BITS,
|
|
||||||
+ code_length_code_lengths, NUM_CODE_LENGTH_CODES)) {
|
|
||||||
goto End;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -277,7 +277,7 @@ static int ReadHuffmanCodeLengths(
|
|
||||||
int code_len;
|
|
||||||
if (max_symbol-- == 0) break;
|
|
||||||
VP8LFillBitWindow(br);
|
|
||||||
- p = &table[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
|
|
||||||
+ p = &tables.curr_segment->start[VP8LPrefetchBits(br) & LENGTHS_TABLE_MASK];
|
|
||||||
VP8LSetBitPos(br, br->bit_pos_ + p->bits);
|
|
||||||
code_len = p->value;
|
|
||||||
if (code_len < kCodeLengthLiterals) {
|
|
||||||
@@ -300,6 +300,7 @@ static int ReadHuffmanCodeLengths(
|
|
||||||
ok = 1;
|
|
||||||
|
|
||||||
End:
|
|
||||||
+ VP8LHuffmanTablesDeallocate(&tables);
|
|
||||||
if (!ok) dec->status_ = VP8_STATUS_BITSTREAM_ERROR;
|
|
||||||
return ok;
|
|
||||||
}
|
|
||||||
@@ -307,7 +308,8 @@ static int ReadHuffmanCodeLengths(
|
|
||||||
// 'code_lengths' is pre-allocated temporary buffer, used for creating Huffman
|
|
||||||
// tree.
|
|
||||||
static int ReadHuffmanCode(int alphabet_size, VP8LDecoder* const dec,
|
|
||||||
- int* const code_lengths, HuffmanCode* const table) {
|
|
||||||
+ int* const code_lengths,
|
|
||||||
+ HuffmanTables* const table) {
|
|
||||||
int ok = 0;
|
|
||||||
int size = 0;
|
|
||||||
VP8LBitReader* const br = &dec->br_;
|
|
||||||
@@ -362,8 +364,7 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
|
|
||||||
VP8LMetadata* const hdr = &dec->hdr_;
|
|
||||||
uint32_t* huffman_image = NULL;
|
|
||||||
HTreeGroup* htree_groups = NULL;
|
|
||||||
- HuffmanCode* huffman_tables = NULL;
|
|
||||||
- HuffmanCode* huffman_table = NULL;
|
|
||||||
+ HuffmanTables* huffman_tables = &hdr->huffman_tables_;
|
|
||||||
int num_htree_groups = 1;
|
|
||||||
int num_htree_groups_max = 1;
|
|
||||||
int max_alphabet_size = 0;
|
|
||||||
@@ -372,6 +373,10 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
|
|
||||||
int* mapping = NULL;
|
|
||||||
int ok = 0;
|
|
||||||
|
|
||||||
+ // Check the table has been 0 initialized (through InitMetadata).
|
|
||||||
+ assert(huffman_tables->root.start == NULL);
|
|
||||||
+ assert(huffman_tables->curr_segment == NULL);
|
|
||||||
+
|
|
||||||
if (allow_recursion && VP8LReadBits(br, 1)) {
|
|
||||||
// use meta Huffman codes.
|
|
||||||
const int huffman_precision = VP8LReadBits(br, 3) + 2;
|
|
||||||
@@ -434,16 +439,15 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
|
|
||||||
|
|
||||||
code_lengths = (int*)WebPSafeCalloc((uint64_t)max_alphabet_size,
|
|
||||||
sizeof(*code_lengths));
|
|
||||||
- huffman_tables = (HuffmanCode*)WebPSafeMalloc(num_htree_groups * table_size,
|
|
||||||
- sizeof(*huffman_tables));
|
|
||||||
htree_groups = VP8LHtreeGroupsNew(num_htree_groups);
|
|
||||||
|
|
||||||
- if (htree_groups == NULL || code_lengths == NULL || huffman_tables == NULL) {
|
|
||||||
+ if (htree_groups == NULL || code_lengths == NULL ||
|
|
||||||
+ !VP8LHuffmanTablesAllocate(num_htree_groups * table_size,
|
|
||||||
+ huffman_tables)) {
|
|
||||||
dec->status_ = VP8_STATUS_OUT_OF_MEMORY;
|
|
||||||
goto Error;
|
|
||||||
}
|
|
||||||
|
|
||||||
- huffman_table = huffman_tables;
|
|
||||||
for (i = 0; i < num_htree_groups_max; ++i) {
|
|
||||||
// If the index "i" is unused in the Huffman image, just make sure the
|
|
||||||
// coefficients are valid but do not store them.
|
|
||||||
@@ -468,19 +472,20 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
|
|
||||||
int max_bits = 0;
|
|
||||||
for (j = 0; j < HUFFMAN_CODES_PER_META_CODE; ++j) {
|
|
||||||
int alphabet_size = kAlphabetSize[j];
|
|
||||||
- htrees[j] = huffman_table;
|
|
||||||
if (j == 0 && color_cache_bits > 0) {
|
|
||||||
alphabet_size += (1 << color_cache_bits);
|
|
||||||
}
|
|
||||||
- size = ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_table);
|
|
||||||
+ size =
|
|
||||||
+ ReadHuffmanCode(alphabet_size, dec, code_lengths, huffman_tables);
|
|
||||||
+ htrees[j] = huffman_tables->curr_segment->curr_table;
|
|
||||||
if (size == 0) {
|
|
||||||
goto Error;
|
|
||||||
}
|
|
||||||
if (is_trivial_literal && kLiteralMap[j] == 1) {
|
|
||||||
- is_trivial_literal = (huffman_table->bits == 0);
|
|
||||||
+ is_trivial_literal = (htrees[j]->bits == 0);
|
|
||||||
}
|
|
||||||
- total_size += huffman_table->bits;
|
|
||||||
- huffman_table += size;
|
|
||||||
+ total_size += htrees[j]->bits;
|
|
||||||
+ huffman_tables->curr_segment->curr_table += size;
|
|
||||||
if (j <= ALPHA) {
|
|
||||||
int local_max_bits = code_lengths[0];
|
|
||||||
int k;
|
|
||||||
@@ -515,14 +520,13 @@ static int ReadHuffmanCodes(VP8LDecoder* const dec, int xsize, int ysize,
|
|
||||||
hdr->huffman_image_ = huffman_image;
|
|
||||||
hdr->num_htree_groups_ = num_htree_groups;
|
|
||||||
hdr->htree_groups_ = htree_groups;
|
|
||||||
- hdr->huffman_tables_ = huffman_tables;
|
|
||||||
|
|
||||||
Error:
|
|
||||||
WebPSafeFree(code_lengths);
|
|
||||||
WebPSafeFree(mapping);
|
|
||||||
if (!ok) {
|
|
||||||
WebPSafeFree(huffman_image);
|
|
||||||
- WebPSafeFree(huffman_tables);
|
|
||||||
+ VP8LHuffmanTablesDeallocate(huffman_tables);
|
|
||||||
VP8LHtreeGroupsFree(htree_groups);
|
|
||||||
}
|
|
||||||
return ok;
|
|
||||||
@@ -1358,7 +1362,7 @@ static void ClearMetadata(VP8LMetadata* const hdr) {
|
|
||||||
assert(hdr != NULL);
|
|
||||||
|
|
||||||
WebPSafeFree(hdr->huffman_image_);
|
|
||||||
- WebPSafeFree(hdr->huffman_tables_);
|
|
||||||
+ VP8LHuffmanTablesDeallocate(&hdr->huffman_tables_);
|
|
||||||
VP8LHtreeGroupsFree(hdr->htree_groups_);
|
|
||||||
VP8LColorCacheClear(&hdr->color_cache_);
|
|
||||||
VP8LColorCacheClear(&hdr->saved_color_cache_);
|
|
||||||
@@ -1673,7 +1677,7 @@ int VP8LDecodeImage(VP8LDecoder* const dec) {
|
|
||||||
|
|
||||||
if (dec == NULL) return 0;
|
|
||||||
|
|
||||||
- assert(dec->hdr_.huffman_tables_ != NULL);
|
|
||||||
+ assert(dec->hdr_.huffman_tables_.root.start != NULL);
|
|
||||||
assert(dec->hdr_.htree_groups_ != NULL);
|
|
||||||
assert(dec->hdr_.num_htree_groups_ > 0);
|
|
||||||
|
|
||||||
diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h
|
|
||||||
index 72b2e861..32540a4b 100644
|
|
||||||
--- a/src/dec/vp8li_dec.h
|
|
||||||
+++ b/src/dec/vp8li_dec.h
|
|
||||||
@@ -51,7 +51,7 @@ typedef struct {
|
|
||||||
uint32_t* huffman_image_;
|
|
||||||
int num_htree_groups_;
|
|
||||||
HTreeGroup* htree_groups_;
|
|
||||||
- HuffmanCode* huffman_tables_;
|
|
||||||
+ HuffmanTables huffman_tables_;
|
|
||||||
} VP8LMetadata;
|
|
||||||
|
|
||||||
typedef struct VP8LDecoder VP8LDecoder;
|
|
||||||
diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c
|
|
||||||
index 90c2fbf7..cf73abd4 100644
|
|
||||||
--- a/src/utils/huffman_utils.c
|
|
||||||
+++ b/src/utils/huffman_utils.c
|
|
||||||
@@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
|
|
||||||
if (num_open < 0) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
- if (root_table == NULL) continue;
|
|
||||||
for (; count[len] > 0; --count[len]) {
|
|
||||||
HuffmanCode code;
|
|
||||||
if ((key & mask) != low) {
|
|
||||||
- table += table_size;
|
|
||||||
+ if (root_table != NULL) table += table_size;
|
|
||||||
table_bits = NextTableBitSize(count, len, root_bits);
|
|
||||||
table_size = 1 << table_bits;
|
|
||||||
total_size += table_size;
|
|
||||||
low = key & mask;
|
|
||||||
- root_table[low].bits = (uint8_t)(table_bits + root_bits);
|
|
||||||
- root_table[low].value = (uint16_t)((table - root_table) - low);
|
|
||||||
+ if (root_table != NULL) {
|
|
||||||
+ root_table[low].bits = (uint8_t)(table_bits + root_bits);
|
|
||||||
+ root_table[low].value = (uint16_t)((table - root_table) - low);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (root_table != NULL) {
|
|
||||||
+ code.bits = (uint8_t)(len - root_bits);
|
|
||||||
+ code.value = (uint16_t)sorted[symbol++];
|
|
||||||
+ ReplicateValue(&table[key >> root_bits], step, table_size, code);
|
|
||||||
}
|
|
||||||
- code.bits = (uint8_t)(len - root_bits);
|
|
||||||
- code.value = (uint16_t)sorted[symbol++];
|
|
||||||
- ReplicateValue(&table[key >> root_bits], step, table_size, code);
|
|
||||||
key = GetNextKey(key, len);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -211,25 +214,83 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
|
|
||||||
((1 << MAX_CACHE_BITS) + NUM_LITERAL_CODES + NUM_LENGTH_CODES)
|
|
||||||
// Cut-off value for switching between heap and stack allocation.
|
|
||||||
#define SORTED_SIZE_CUTOFF 512
|
|
||||||
-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
|
|
||||||
+int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
|
|
||||||
const int code_lengths[], int code_lengths_size) {
|
|
||||||
- int total_size;
|
|
||||||
+ const int total_size =
|
|
||||||
+ BuildHuffmanTable(NULL, root_bits, code_lengths, code_lengths_size, NULL);
|
|
||||||
assert(code_lengths_size <= MAX_CODE_LENGTHS_SIZE);
|
|
||||||
- if (root_table == NULL) {
|
|
||||||
- total_size = BuildHuffmanTable(NULL, root_bits,
|
|
||||||
- code_lengths, code_lengths_size, NULL);
|
|
||||||
- } else if (code_lengths_size <= SORTED_SIZE_CUTOFF) {
|
|
||||||
+ if (total_size == 0 || root_table == NULL) return total_size;
|
|
||||||
+
|
|
||||||
+ if (root_table->curr_segment->curr_table + total_size >=
|
|
||||||
+ root_table->curr_segment->start + root_table->curr_segment->size) {
|
|
||||||
+ // If 'root_table' does not have enough memory, allocate a new segment.
|
|
||||||
+ // The available part of root_table->curr_segment is left unused because we
|
|
||||||
+ // need a contiguous buffer.
|
|
||||||
+ const int segment_size = root_table->curr_segment->size;
|
|
||||||
+ struct HuffmanTablesSegment* next =
|
|
||||||
+ (HuffmanTablesSegment*)WebPSafeMalloc(1, sizeof(*next));
|
|
||||||
+ if (next == NULL) return 0;
|
|
||||||
+ // Fill the new segment.
|
|
||||||
+ // We need at least 'total_size' but if that value is small, it is better to
|
|
||||||
+ // allocate a big chunk to prevent more allocations later. 'segment_size' is
|
|
||||||
+ // therefore chosen (any other arbitrary value could be chosen).
|
|
||||||
+ next->size = total_size > segment_size ? total_size : segment_size;
|
|
||||||
+ next->start =
|
|
||||||
+ (HuffmanCode*)WebPSafeMalloc(next->size, sizeof(*next->start));
|
|
||||||
+ if (next->start == NULL) {
|
|
||||||
+ WebPSafeFree(next);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ next->curr_table = next->start;
|
|
||||||
+ next->next = NULL;
|
|
||||||
+ // Point to the new segment.
|
|
||||||
+ root_table->curr_segment->next = next;
|
|
||||||
+ root_table->curr_segment = next;
|
|
||||||
+ }
|
|
||||||
+ if (code_lengths_size <= SORTED_SIZE_CUTOFF) {
|
|
||||||
// use local stack-allocated array.
|
|
||||||
uint16_t sorted[SORTED_SIZE_CUTOFF];
|
|
||||||
- total_size = BuildHuffmanTable(root_table, root_bits,
|
|
||||||
- code_lengths, code_lengths_size, sorted);
|
|
||||||
- } else { // rare case. Use heap allocation.
|
|
||||||
+ BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
|
|
||||||
+ code_lengths, code_lengths_size, sorted);
|
|
||||||
+ } else { // rare case. Use heap allocation.
|
|
||||||
uint16_t* const sorted =
|
|
||||||
(uint16_t*)WebPSafeMalloc(code_lengths_size, sizeof(*sorted));
|
|
||||||
if (sorted == NULL) return 0;
|
|
||||||
- total_size = BuildHuffmanTable(root_table, root_bits,
|
|
||||||
- code_lengths, code_lengths_size, sorted);
|
|
||||||
+ BuildHuffmanTable(root_table->curr_segment->curr_table, root_bits,
|
|
||||||
+ code_lengths, code_lengths_size, sorted);
|
|
||||||
WebPSafeFree(sorted);
|
|
||||||
}
|
|
||||||
return total_size;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables) {
|
|
||||||
+ // Have 'segment' point to the first segment for now, 'root'.
|
|
||||||
+ HuffmanTablesSegment* const root = &huffman_tables->root;
|
|
||||||
+ huffman_tables->curr_segment = root;
|
|
||||||
+ // Allocate root.
|
|
||||||
+ root->start = (HuffmanCode*)WebPSafeMalloc(size, sizeof(*root->start));
|
|
||||||
+ if (root->start == NULL) return 0;
|
|
||||||
+ root->curr_table = root->start;
|
|
||||||
+ root->next = NULL;
|
|
||||||
+ root->size = size;
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables) {
|
|
||||||
+ HuffmanTablesSegment *current, *next;
|
|
||||||
+ if (huffman_tables == NULL) return;
|
|
||||||
+ // Free the root node.
|
|
||||||
+ current = &huffman_tables->root;
|
|
||||||
+ next = current->next;
|
|
||||||
+ WebPSafeFree(current->start);
|
|
||||||
+ current->start = NULL;
|
|
||||||
+ current->next = NULL;
|
|
||||||
+ current = next;
|
|
||||||
+ // Free the following nodes.
|
|
||||||
+ while (current != NULL) {
|
|
||||||
+ next = current->next;
|
|
||||||
+ WebPSafeFree(current->start);
|
|
||||||
+ WebPSafeFree(current);
|
|
||||||
+ current = next;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h
|
|
||||||
index 13b7ad1a..98415c53 100644
|
|
||||||
--- a/src/utils/huffman_utils.h
|
|
||||||
+++ b/src/utils/huffman_utils.h
|
|
||||||
@@ -43,6 +43,29 @@ typedef struct {
|
|
||||||
// or non-literal symbol otherwise
|
|
||||||
} HuffmanCode32;
|
|
||||||
|
|
||||||
+// Contiguous memory segment of HuffmanCodes.
|
|
||||||
+typedef struct HuffmanTablesSegment {
|
|
||||||
+ HuffmanCode* start;
|
|
||||||
+ // Pointer to where we are writing into the segment. Starts at 'start' and
|
|
||||||
+ // cannot go beyond 'start' + 'size'.
|
|
||||||
+ HuffmanCode* curr_table;
|
|
||||||
+ // Pointer to the next segment in the chain.
|
|
||||||
+ struct HuffmanTablesSegment* next;
|
|
||||||
+ int size;
|
|
||||||
+} HuffmanTablesSegment;
|
|
||||||
+
|
|
||||||
+// Chained memory segments of HuffmanCodes.
|
|
||||||
+typedef struct HuffmanTables {
|
|
||||||
+ HuffmanTablesSegment root;
|
|
||||||
+ // Currently processed segment. At first, this is 'root'.
|
|
||||||
+ HuffmanTablesSegment* curr_segment;
|
|
||||||
+} HuffmanTables;
|
|
||||||
+
|
|
||||||
+// Allocates a HuffmanTables with 'size' contiguous HuffmanCodes. Returns 0 on
|
|
||||||
+// memory allocation error, 1 otherwise.
|
|
||||||
+int VP8LHuffmanTablesAllocate(int size, HuffmanTables* huffman_tables);
|
|
||||||
+void VP8LHuffmanTablesDeallocate(HuffmanTables* const huffman_tables);
|
|
||||||
+
|
|
||||||
#define HUFFMAN_PACKED_BITS 6
|
|
||||||
#define HUFFMAN_PACKED_TABLE_SIZE (1u << HUFFMAN_PACKED_BITS)
|
|
||||||
|
|
||||||
@@ -78,9 +101,7 @@ void VP8LHtreeGroupsFree(HTreeGroup* const htree_groups);
|
|
||||||
// the huffman table.
|
|
||||||
// Returns built table size or 0 in case of error (invalid tree or
|
|
||||||
// memory error).
|
|
||||||
-// If root_table is NULL, it returns 0 if a lookup cannot be built, something
|
|
||||||
-// > 0 otherwise (but not the table size).
|
|
||||||
-int VP8LBuildHuffmanTable(HuffmanCode* const root_table, int root_bits,
|
|
||||||
+int VP8LBuildHuffmanTable(HuffmanTables* const root_table, int root_bits,
|
|
||||||
const int code_lengths[], int code_lengths_size);
|
|
||||||
|
|
||||||
#ifdef __cplusplus
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
@ -1,48 +0,0 @@
|
|||||||
From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Vincent Rabaud <vrabaud@google.com>
|
|
||||||
Date: Mon, 11 Sep 2023 16:06:08 +0200
|
|
||||||
Subject: [PATCH] Fix invalid incremental decoding check.
|
|
||||||
|
|
||||||
The first condition is only necessary if we have not read enough
|
|
||||||
(enough being defined by src_last, not src_end which is the end
|
|
||||||
of the image).
|
|
||||||
The second condition now fits the comment below: "if not
|
|
||||||
incremental, and we are past the end of buffer".
|
|
||||||
|
|
||||||
BUG=oss-fuzz:62136
|
|
||||||
|
|
||||||
Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
|
|
||||||
---
|
|
||||||
src/dec/vp8l_dec.c | 15 +++++++++++++--
|
|
||||||
1 file changed, 13 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
|
|
||||||
index 5ab34f56..809b1aa9 100644
|
|
||||||
--- a/src/dec/vp8l_dec.c
|
|
||||||
+++ b/src/dec/vp8l_dec.c
|
|
||||||
@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
|
|
||||||
}
|
|
||||||
|
|
||||||
br->eos_ = VP8LIsEndOfStream(br);
|
|
||||||
- if (dec->incremental_ && br->eos_ && src < src_end) {
|
|
||||||
+ // In incremental decoding:
|
|
||||||
+ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
|
|
||||||
+ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
|
|
||||||
+ // be reset until there is more data.
|
|
||||||
+ // !br->eos_ && src < src_last: this cannot happen as either the buffer is
|
|
||||||
+ // fully read, either enough has been read to reach 'src_last'.
|
|
||||||
+ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
|
|
||||||
+ // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
|
|
||||||
+ // The buffer might have been enough or there is some left. 'br->eos_' does
|
|
||||||
+ // not matter.
|
|
||||||
+ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
|
|
||||||
+ if (dec->incremental_ && br->eos_ && src < src_last) {
|
|
||||||
RestoreState(dec);
|
|
||||||
- } else if (!br->eos_) {
|
|
||||||
+ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
|
|
||||||
// Process the remaining rows corresponding to last row-block.
|
|
||||||
if (process_func != NULL) {
|
|
||||||
process_func(dec, row > last_row ? last_row : row);
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:b3779627c2dfd31e3d8c4485962c2efe17785ef975e2be5c8c0c9e6cd3c4ef66
|
|
||||||
size 4161782
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEaw5rcJdt4wPt8vYB+cPWvbgjK10FAmSc5osACgkQ+cPWvbgj
|
|
||||||
K12FbxAAgfRFe8KevbVD+5x+uQPYRg0kvXBwRohRymiab64pM3fAZShlTaX8bHOu
|
|
||||||
YD84PkXCWrSJ9Z6RYWdgCOfrmw68OL0OuFtprD2KqMI1lQTUvKFvuGuLtpZ6yzZl
|
|
||||||
MCrDHnt5wbOFI0zVDn/LP6JGFX7OwSv09z8Nm4Nc4U55y/lzyNqmb7nkoYpZ9QtA
|
|
||||||
B4fXgp/nlrjEwdOOemggk9QGNNe/ivuePmdMRw2Vz0g+CKVOAbvq34KQN4eDr3V7
|
|
||||||
oygGclGURJ9RgAx847B3EgE/NSIRZS1XntksqpgSIo6EYDH6TUSXJZ2+bNTAdAdi
|
|
||||||
hRX/mfc3k5AhS4RIxl00DC0TOSOiUGsvq2YsO7As5Eu93BVCGd7knYDivciJ0HDE
|
|
||||||
rS55R3ReM/YD9sn6Ix886e8n9kSeJYMXQcpgpRYvomWvLgppWtukpEwjMKhsJlR1
|
|
||||||
/11rQNh5DsJcSk4x2nhPF7CTB7Ls7IcR9VdhUZhAaZ4MfxZylHQBOArgAbDZ+tA5
|
|
||||||
gYedMnFe+bfVEKZa5C9KCQ9nDn/DPz6wFWNq5fr7/isng1lppW5V8r2YlLhzXoL/
|
|
||||||
bpY7zAN0bbfVvZH3PYl+Syg5kDbSJE/5mADHBO8e7VKVJITl6zCW6evAyZGTiX+k
|
|
||||||
1ea+Twq1RroVtinbcoJZA/m8V/de5dRp8Qs4yuV7RZTe6XD/w5w=
|
|
||||||
=HjVJ
|
|
||||||
-----END PGP SIGNATURE-----
|
|
BIN
libwebp-1.3.2.tar.gz
(Stored with Git LFS)
Normal file
BIN
libwebp-1.3.2.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
libwebp-1.3.2.tar.gz.asc
Normal file
16
libwebp-1.3.2.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEaw5rcJdt4wPt8vYB+cPWvbgjK10FAmUCSVoACgkQ+cPWvbgj
|
||||||
|
K13/+xAAxdcgcBz6PAuDriln0NcEGqzLkhstDJIsBr9E/VpXKrr1La4z/7IdCHZv
|
||||||
|
fi7xkH9zBiz+DjhEKICi/ItCJ0toovn0tiZIYZDZWdZ+wyi1Sns+w7rIPjrjNYpN
|
||||||
|
nHCRyG8CZfTPJhPyWwrxj+ESkzogDpd+zEewE4gpLq4K3+HWIVA+IOV8K6tDRXua
|
||||||
|
HgmWqQ+BSqAH9tc2kb8OeUuEYhBevb6PP8ijMKrC04WFI7DaAgCr4JeS3+brTfg+
|
||||||
|
CUEw2af1THOA1vKeNo42xInduX8fZ3HPHAFwJzfNxYzJOyPVsOfG2pDPuUngB360
|
||||||
|
ejc1nBk/tjqmdw01cAjhOKNcY6vctAW3Q8akTI2jCZftEoCbSxLHHdPCGvVOU8xy
|
||||||
|
zPLyq06k71GI6aPYCBUcBqoGSdhY4FsSFkAzc+Ix28h6sJ4jakYPeXq9YoE/66HW
|
||||||
|
s4O7FhBvsGlrUgTehrnFGgX+G9IB63zldfI6XfKZ6Z8upD/oy3EWDPBdvIX2vDQj
|
||||||
|
wxYZtOljtNprljhcQ8xu1Kc68M3H4UYiEynYt1bq0dLucXqbb+axhmv5WilAqoXH
|
||||||
|
iZQxcg6K1OKNSW7XAc0T3a2un8mREJAy4EddBKSsgp7RnHoRkKDzrNzYTPw6DZeh
|
||||||
|
861HUotMSKAFXSLPyVpZRIG6IX6R62e+TKY5zT2hlA7K7UneLFA=
|
||||||
|
=/nBK
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 15 07:37:46 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||||
|
|
||||||
|
- update to 1.3.2:
|
||||||
|
* security fix for lossless decoder (boo#1215231 CVE-2023-4863)
|
||||||
|
replacing 0001-Fix-OOB-write-in-BuildHuffmanTable.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Sep 14 01:27:02 UTC 2023 - Xiaoguang Wang <xiaoguang.wang@suse.com>
|
Thu Sep 14 01:27:02 UTC 2023 - Xiaoguang Wang <xiaoguang.wang@suse.com>
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: libwebp
|
Name: libwebp
|
||||||
Version: 1.3.1
|
Version: 1.3.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Library and tools for the WebP graphics format
|
Summary: Library and tools for the WebP graphics format
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
@ -28,8 +28,6 @@ Source: https://storage.googleapis.com/downloads.webmproject.org/release
|
|||||||
Source2: https://storage.googleapis.com/downloads.webmproject.org/releases/webp/libwebp-%version.tar.gz.asc
|
Source2: https://storage.googleapis.com/downloads.webmproject.org/releases/webp/libwebp-%version.tar.gz.asc
|
||||||
Source3: %name.keyring
|
Source3: %name.keyring
|
||||||
Source4: baselibs.conf
|
Source4: baselibs.conf
|
||||||
Patch1: 0001-Fix-OOB-write-in-BuildHuffmanTable.patch
|
|
||||||
Patch2: 0001-Fix-invalid-incremental-decoding-check.patch
|
|
||||||
|
|
||||||
BuildRequires: giflib-devel
|
BuildRequires: giflib-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
|
Loading…
Reference in New Issue
Block a user