From e63fc8d3ba738315835ff3c207490fea1166bb04 Mon Sep 17 00:00:00 2001 From: James Zern Date: Tue, 20 Jun 2023 11:49:57 -0700 Subject: [PATCH] [Backport] Security bug 1455619 Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/webm/libwebp/+/4634862: EncodeAlphaInternal: add missing error check VP8LBitWriterFinish() may cause the VP8LBitWriter's buffer to be grown. If that allocation fails, VP8LBitWriterNumBytes() will return a size larger than the current allocation resulting in a heap overwrite of the missing bytes. ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900005b880 at pc 0x00000049ffc1 bp 0x7fff144f5b40 sp 0x7fff144f5310 READ of size 1028 at 0x61900005b880 thread T0 #0 0x49ffc0 in __asan_memcpy #1 0x695861 in VP8BitWriterAppend src/utils/bit_writer_utils.c:186:3 #2 0x65acf9 in EncodeAlphaInternal src/enc/alpha_enc.c:169:14 Found by Nallocfuzz (https://github.com/catenacyber/nallocfuzz). This is the same issue that was fixed in the non-alpha lossless path in: d49cfbb3 vp8l_enc,WriteImage: add missing error check Bug: chromium:1455619 Change-Id: I6bd10de213707d3d6b7ce3d0d2b3942af45d317f (cherry picked from commit c3bd7cff2e57b4bf1b744e70dd379570d83fb0e4) Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/500280 Reviewed-by: Michal Klocek --- chromium/third_party/libwebp/src/src/enc/alpha_enc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/chromium/third_party/libwebp/src/src/enc/alpha_enc.c b/chromium/third_party/libwebp/src/src/enc/alpha_enc.c index f7c02690e3cf..a9136d074a87 100644 --- a/chromium/third_party/libwebp/src/src/enc/alpha_enc.c +++ b/chromium/third_party/libwebp/src/src/enc/alpha_enc.c @@ -140,6 +140,11 @@ static int EncodeAlphaInternal(const uint8_t* const data, int width, int height, !reduce_levels, &tmp_bw, &result->stats); if (ok) { output = VP8LBitWriterFinish(&tmp_bw); + if (tmp_bw.error_) { + VP8LBitWriterWipeOut(&tmp_bw); + memset(&result->bw, 0, sizeof(result->bw)); + return 0; + } output_size = VP8LBitWriterNumBytes(&tmp_bw); if (output_size > data_size) { // compressed size is larger than source! Revert to uncompressed mode.