rpms / libwebp

Clone
Source Code
GIT

Blame SOURCES/rhbz-1956853.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   302cafb76a42ee4b2683da24c96016ed4d84fbb8
  2.   SOURCES
  3.   rhbz-1956853.patch
Blob History Raw
07a7da 
diff --git a/src/mux/muxread.c b/src/mux/muxread.c
07a7da 
index 0b55286..eb5070b 100644
07a7da 
--- a/src/mux/muxread.c
07a7da 
+++ b/src/mux/muxread.c
07a7da
07a7da 
@@ -187,7 +187,7 @@
07a7da 
   size = bitstream->size;
07a7da
07a7da 
   if (data == NULL) return NULL;
07a7da 
-  if (size < RIFF_HEADER_SIZE) return NULL;
07a7da 
+  if (size < RIFF_HEADER_SIZE + CHUNK_HEADER_SIZE) return NULL;
07a7da 
   if (GetLE32(data + 0) != MKFOURCC('R', 'I', 'F', 'F') ||
07a7da 
       GetLE32(data + CHUNK_HEADER_SIZE) != MKFOURCC('W', 'E', 'B', 'P')) {
07a7da 
     return NULL;
07a7da 
@@ -196,8 +196,6 @@
07a7da 
   mux = WebPMuxNew();
07a7da 
   if (mux == NULL) return NULL;
07a7da
07a7da 
-  if (size < RIFF_HEADER_SIZE + TAG_SIZE) goto Err;
07a7da 
-
07a7da 
   tag = GetLE32(data + RIFF_HEADER_SIZE);
07a7da 
   if (tag != kChunks[IDX_VP8].tag &&
07a7da 
       tag != kChunks[IDX_VP8L].tag &&
07a7da 
@@ -206,12 +204,11 @@
07a7da 
   }
07a7da
07a7da 
   riff_size = SizeWithPadding(GetLE32(data + TAG_SIZE));
07a7da 
-  if (riff_size > MAX_CHUNK_PAYLOAD || riff_size > size) {
07a7da 
-    goto Err;
07a7da 
-  } else {
07a7da 
-    if (riff_size < size) {  // Redundant data after last chunk.
07a7da 
-      size = riff_size;  // To make sure we don't read any data beyond mux_size.
07a7da 
-    }
07a7da 
+  if (riff_size < CHUNK_HEADER_SIZE) goto Err;
07a7da 
+  if (riff_size > MAX_CHUNK_PAYLOAD || riff_size > size) goto Err;
07a7da 
+  // There's no point in reading past the end of the RIFF chunk.
07a7da 
+  if (size > riff_size + CHUNK_HEADER_SIZE) {
07a7da 
+    size = riff_size + CHUNK_HEADER_SIZE;
07a7da 
   }
07a7da
07a7da 
   end = data + size;
07a7da

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation