Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(623)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/libwebp/dec/webp.c

Issue 11229048: libwebp: validate chunk size in ParseOptionalChunks (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « third_party/libwebp/README.chromium ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2010 Google Inc. All Rights Reserved. 1 // Copyright 2010 Google Inc. All Rights Reserved.
2 // 2 //
3 // This code is licensed under the same terms as WebM: 3 // This code is licensed under the same terms as WebM:
4 // Software License Agreement: http://www.webmproject.org/license/software/ 4 // Software License Agreement: http://www.webmproject.org/license/software/
5 // Additional IP Rights Grant: http://www.webmproject.org/license/additional/ 5 // Additional IP Rights Grant: http://www.webmproject.org/license/additional/
6 // ----------------------------------------------------------------------------- 6 // -----------------------------------------------------------------------------
7 // 7 //
8 // Main decoding functions for WEBP images. 8 // Main decoding functions for WEBP images.
9 // 9 //
10 // Author: Skal (pascal.massimino@gmail.com) 10 // Author: Skal (pascal.massimino@gmail.com)
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after
69 *riff_size = 0; // Default: no RIFF present. 69 *riff_size = 0; // Default: no RIFF present.
70 if (*data_size >= RIFF_HEADER_SIZE && !memcmp(*data, "RIFF", TAG_SIZE)) { 70 if (*data_size >= RIFF_HEADER_SIZE && !memcmp(*data, "RIFF", TAG_SIZE)) {
71 if (memcmp(*data + 8, "WEBP", TAG_SIZE)) { 71 if (memcmp(*data + 8, "WEBP", TAG_SIZE)) {
72 return VP8_STATUS_BITSTREAM_ERROR; // Wrong image file signature. 72 return VP8_STATUS_BITSTREAM_ERROR; // Wrong image file signature.
73 } else { 73 } else {
74 const uint32_t size = get_le32(*data + TAG_SIZE); 74 const uint32_t size = get_le32(*data + TAG_SIZE);
75 // Check that we have at least one chunk (i.e "WEBP" + "VP8?nnnn"). 75 // Check that we have at least one chunk (i.e "WEBP" + "VP8?nnnn").
76 if (size < TAG_SIZE + CHUNK_HEADER_SIZE) { 76 if (size < TAG_SIZE + CHUNK_HEADER_SIZE) {
77 return VP8_STATUS_BITSTREAM_ERROR; 77 return VP8_STATUS_BITSTREAM_ERROR;
78 } 78 }
79 if (size > MAX_CHUNK_PAYLOAD) {
80 return VP8_STATUS_BITSTREAM_ERROR;
81 }
79 // We have a RIFF container. Skip it. 82 // We have a RIFF container. Skip it.
80 *riff_size = size; 83 *riff_size = size;
81 *data += RIFF_HEADER_SIZE; 84 *data += RIFF_HEADER_SIZE;
82 *data_size -= RIFF_HEADER_SIZE; 85 *data_size -= RIFF_HEADER_SIZE;
83 } 86 }
84 } 87 }
85 return VP8_STATUS_OK; 88 return VP8_STATUS_OK;
86 } 89 }
87 90
88 // Validates the VP8X header and skips over it. 91 // Validates the VP8X header and skips over it.
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after
170 uint32_t disk_chunk_size; // chunk_size with padding 173 uint32_t disk_chunk_size; // chunk_size with padding
171 174
172 *data = buf; 175 *data = buf;
173 *data_size = buf_size; 176 *data_size = buf_size;
174 177
175 if (buf_size < CHUNK_HEADER_SIZE) { // Insufficient data. 178 if (buf_size < CHUNK_HEADER_SIZE) { // Insufficient data.
176 return VP8_STATUS_NOT_ENOUGH_DATA; 179 return VP8_STATUS_NOT_ENOUGH_DATA;
177 } 180 }
178 181
179 chunk_size = get_le32(buf + TAG_SIZE); 182 chunk_size = get_le32(buf + TAG_SIZE);
183 if (chunk_size > MAX_CHUNK_PAYLOAD) {
184 return VP8_STATUS_BITSTREAM_ERROR; // Not a valid chunk size.
fbarchard 2012/10/23 19:05:05 nit Should be 2 spaces before comment. return VP8_
jzern 2012/10/23 19:23:22 This is consistent to the remainder of the functio
185 }
180 // For odd-sized chunk-payload, there's one byte padding at the end. 186 // For odd-sized chunk-payload, there's one byte padding at the end.
181 disk_chunk_size = (CHUNK_HEADER_SIZE + chunk_size + 1) & ~1; 187 disk_chunk_size = (CHUNK_HEADER_SIZE + chunk_size + 1) & ~1;
182 total_size += disk_chunk_size; 188 total_size += disk_chunk_size;
183 189
184 // Check that total bytes skipped so far does not exceed riff_size. 190 // Check that total bytes skipped so far does not exceed riff_size.
185 if (riff_size > 0 && (total_size > riff_size)) { 191 if (riff_size > 0 && (total_size > riff_size)) {
186 return VP8_STATUS_BITSTREAM_ERROR; // Not a valid chunk size. 192 return VP8_STATUS_BITSTREAM_ERROR; // Not a valid chunk size.
187 } 193 }
188 194
189 if (buf_size < disk_chunk_size) { // Insufficient data. 195 if (buf_size < disk_chunk_size) { // Insufficient data.
(...skipping 572 matching lines...) Expand 10 before | Expand all | Expand 10 after
762 io->fancy_upsampling = 0; 768 io->fancy_upsampling = 0;
763 } 769 }
764 return 1; 770 return 1;
765 } 771 }
766 772
767 //------------------------------------------------------------------------------ 773 //------------------------------------------------------------------------------
768 774
769 #if defined(__cplusplus) || defined(c_plusplus) 775 #if defined(__cplusplus) || defined(c_plusplus)
770 } // extern "C" 776 } // extern "C"
771 #endif 777 #endif
OLDNEW
« no previous file with comments | « third_party/libwebp/README.chromium ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698