39 lines
1.7 KiB
Diff
39 lines
1.7 KiB
Diff
From a3b1e52e5a5836fe1fd07013a2a098518b1801de Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>
|
|
Date: Sat, 27 Jul 2019 20:42:51 -0400
|
|
Subject: [PATCH] (CVE-20220-18652) Bug #12 - Invalid WebP cause memory
|
|
overflow.
|
|
|
|
https://gitlab.freedesktop.org/libopenraw/exempi/issues/12
|
|
(cherry picked from commit acee2894ceb91616543927c2a6e45050c60f98f7)
|
|
---
|
|
XMPFiles/source/FormatSupport/WEBP_Support.cpp | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/XMPFiles/source/FormatSupport/WEBP_Support.cpp b/XMPFiles/source/FormatSupport/WEBP_Support.cpp
|
|
index ffaf220..0d4b81d 100644
|
|
--- a/XMPFiles/source/FormatSupport/WEBP_Support.cpp
|
|
+++ b/XMPFiles/source/FormatSupport/WEBP_Support.cpp
|
|
@@ -120,10 +120,16 @@ VP8XChunk::VP8XChunk(Container* parent)
|
|
this->data.assign(this->size, 0);
|
|
XMP_Uns8* bitstream =
|
|
(XMP_Uns8*)parent->chunks[WEBP_CHUNK_IMAGE][0]->data.data();
|
|
+ XMP_Uns32 width = 0;
|
|
+ XMP_Uns32 height = 0;
|
|
// See bug https://bugs.freedesktop.org/show_bug.cgi?id=105247
|
|
// bitstream could be NULL.
|
|
- XMP_Uns32 width = bitstream ? ((bitstream[7] << 8) | bitstream[6]) & 0x3fff : 0;
|
|
- XMP_Uns32 height = bitstream ? ((bitstream[9] << 8) | bitstream[8]) & 0x3fff : 0;
|
|
+ // See bug https://gitlab.freedesktop.org/libopenraw/exempi/issues/12
|
|
+ // image chunk data could be too short (must be 10)
|
|
+ if (parent->chunks[WEBP_CHUNK_IMAGE][0]->data.size() >= 10 && bitstream) {
|
|
+ width = ((bitstream[7] << 8) | bitstream[6]) & 0x3fff;
|
|
+ height = ((bitstream[9] << 8) | bitstream[8]) & 0x3fff;
|
|
+ }
|
|
this->width(width);
|
|
this->height(height);
|
|
parent->vp8x = this;
|
|
--
|
|
2.41.0
|
|
|