libwebp: validate chunk size in ParseOptionalChunks

third_party/libwebp/dec/webp.c

Index: third_party/libwebp/dec/webp.c
diff --git a/third_party/libwebp/dec/webp.c b/third_party/libwebp/dec/webp.c
index edd348cbe70c509dc721bffd502621e8c9f08d22..7455da9415047d560a864beeb60f573e01d95bc9 100644
--- a/third_party/libwebp/dec/webp.c
+++ b/third_party/libwebp/dec/webp.c
@@ -76,6 +76,9 @@ static VP8StatusCode ParseRIFF(const uint8_t** const data,
       if (size < TAG_SIZE + CHUNK_HEADER_SIZE) {
         return VP8_STATUS_BITSTREAM_ERROR;
       }
+      if (size > MAX_CHUNK_PAYLOAD) {
+        return VP8_STATUS_BITSTREAM_ERROR;
+      }
       // We have a RIFF container. Skip it.
       *riff_size = size;
       *data += RIFF_HEADER_SIZE;
@@ -177,6 +180,9 @@ static VP8StatusCode ParseOptionalChunks(const uint8_t** const data,
     }
 
     chunk_size = get_le32(buf + TAG_SIZE);
+    if (chunk_size > MAX_CHUNK_PAYLOAD) {
+      return VP8_STATUS_BITSTREAM_ERROR;          // Not a valid chunk size.

[fbarchard, 2012/10/23 19:05:05]

nit Should be 2 spaces before comment.
return VP8_STATUS_BITSTREAM_ERROR;  // Not a valid chunk size.

[jzern, 2012/10/23 19:23:22]

This is consistent to the remainder of the function. any cosmetics can be done
upstream...

+    }
     // For odd-sized chunk-payload, there's one byte padding at the end.
     disk_chunk_size = (CHUNK_HEADER_SIZE + chunk_size + 1) & ~1;
     total_size += disk_chunk_size;