commit 276905dd9bf0cffd7e04c78c95f2c1057275d5bd
author Geremy Condra <gcondra@google.com> Thu Nov 01 19:10:00 2012 -0700
committer Geremy Condra <gcondra@google.com> Thu Nov 01 19:10:00 2012 -0700
tree 1dd0a6f6cc091618520b48d4127d62c8c880e1d0
parent 7ee5581705156c13ba9cf012cfd3e43eff630330

Bring in fix for Chrome's 157079.

The upstream fix is at https://chromiumcodereview.appspot.com/11229048

Change-Id: I98a7c55e4fe01f679233df1ad2316f0f7833c923

src/dec/webp.c

diff --git a/src/dec/webp.c b/src/dec/webp.c
index 54cb6d3..1edf6d9 100644
--- a/src/dec/webp.c
+++ b/src/dec/webp.c
@@ -76,6 +76,9 @@
       if (size < TAG_SIZE + CHUNK_HEADER_SIZE) {
         return VP8_STATUS_BITSTREAM_ERROR;
       }
+      if (size > MAX_CHUNK_PAYLOAD) {
+        return VP8_STATUS_BITSTREAM_ERROR;
+      }
       // We have a RIFF container. Skip it.
       *riff_size = size;
       *data += RIFF_HEADER_SIZE;
@@ -177,6 +180,9 @@
     }
 
     chunk_size = get_le32(buf + TAG_SIZE);
+    if (chunk_size > MAX_CHUNK_PAYLOAD) {
+      return VP8_STATUS_BITSTREAM_ERROR;          // Not a valid chunk size.
+    }
     // For odd-sized chunk-payload, there's one byte padding at the end.
     disk_chunk_size = (CHUNK_HEADER_SIZE + chunk_size + 1) & ~1;
     total_size += disk_chunk_size;