webp: disallow multiple VP8X chunks
Per the spec, there should only be one. A malformed image containing
multiple VP8X chunks can cause unexpected memory usage, since
DecodeConfig will only parse the first chunk, which contains the canvas
size, but a subsequent chunk can indicate a significantly larger canvas,
which we will then try to allocate a buffer for.
Change-Id: I240ae76162f4293f6e6991020d18d4d3270cb9b6
Reviewed-on: https://go-review.googlesource.com/c/image/+/551416
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
diff --git a/webp/decode.go b/webp/decode.go
index d6eefd5..e211c7d 100644
--- a/webp/decode.go
+++ b/webp/decode.go
@@ -39,6 +39,7 @@
alpha []byte
alphaStride int
wantAlpha bool
+ seenVP8X bool
widthMinusOne uint32
heightMinusOne uint32
buf [10]byte
@@ -113,6 +114,10 @@
return m, image.Config{}, err
case fccVP8X:
+ if seenVP8X {
+ return nil, image.Config{}, errInvalidFormat
+ }
+ seenVP8X = true
if chunkLen != 10 {
return nil, image.Config{}, errInvalidFormat
}
diff --git a/webp/decode_test.go b/webp/decode_test.go
index ad65b10..00be03f 100644
--- a/webp/decode_test.go
+++ b/webp/decode_test.go
@@ -271,6 +271,14 @@
}
}
+func TestDuplicateVP8X(t *testing.T) {
+ data := []byte{'R', 'I', 'F', 'F', 49, 0, 0, 0, 'W', 'E', 'B', 'P', 'V', 'P', '8', 'X', 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 'V', 'P', '8', 'X', 10, 0, 0, 0, 0x10, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+ _, err := Decode(bytes.NewReader(data))
+ if err != errInvalidFormat {
+ t.Fatalf("unexpected error: want %q, got %q", errInvalidFormat, err)
+ }
+}
+
func benchmarkDecode(b *testing.B, filename string) {
data, err := ioutil.ReadFile("../testdata/blue-purple-pink-large." + filename + ".webp")
if err != nil {
