File libwebp-CVE-2020-36331.patch of Package libwebp.24379

Overview Repositories Revisions Requests Users Attributes Meta

File libwebp-CVE-2020-36331.patch of Package libwebp.24379

From be738c6d396fa5a272c1b209be4379a7532debfe Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Thu, 21 Jun 2018 01:13:36 +0000
Subject: [PATCH] muxread,ChunkVerifyAndAssign: validate chunk_size

before accounting for padding which might overflow if chunk_size is >
MAX_CHUNK_PAYLOAD.

BUG=webp:387,webp:388

Change-Id: I3985b8817ed4faaec0629102c5333c228a0e9c98
Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libwebp-0.5.0.orig/src/mux/muxi.h libwebp-0.5.0/src/mux/muxi.h
--- libwebp-0.5.0.orig/src/mux/muxi.h	2015-12-18 02:04:24.000000000 -0600
+++ libwebp-0.5.0/src/mux/muxi.h	2021-05-13 10:27:44.696586646 -0500
@@ -14,6 +14,7 @@
 #ifndef WEBP_MUX_MUXI_H_
 #define WEBP_MUX_MUXI_H_
 
+#include <assert.h>
 #include <stdlib.h>
 #include "../dec/vp8i.h"
 #include "../dec/vp8li.h"
@@ -144,13 +145,13 @@ void ChunkListDelete(WebPChunk** const c
 
 // Returns size of the chunk including chunk header and padding byte (if any).
 static WEBP_INLINE size_t SizeWithPadding(size_t chunk_size) {
+  assert(chunk_size <= MAX_CHUNK_PAYLOAD);
   return CHUNK_HEADER_SIZE + ((chunk_size + 1) & ~1U);
 }
 
 // Size of a chunk including header and padding.
 static WEBP_INLINE size_t ChunkDiskSize(const WebPChunk* chunk) {
   const size_t data_size = chunk->data_.size;
-  assert(data_size < MAX_CHUNK_PAYLOAD);
   return SizeWithPadding(data_size);
 }
 
diff -urp libwebp-0.5.0.orig/src/mux/muxread.c libwebp-0.5.0/src/mux/muxread.c
--- libwebp-0.5.0.orig/src/mux/muxread.c	2021-05-13 07:54:13.239530513 -0500
+++ libwebp-0.5.0/src/mux/muxread.c	2021-05-13 10:46:07.958462161 -0500
@@ -59,6 +59,7 @@ static WebPMuxError ChunkVerifyAndAssign
   // Sanity checks.
   if (data_size < CHUNK_HEADER_SIZE) return WEBP_MUX_NOT_ENOUGH_DATA;
   chunk_size = GetLE32(data + TAG_SIZE);
+  if (chunk_size > MAX_CHUNK_PAYLOAD) return WEBP_MUX_BAD_DATA;
 
   {
     const size_t chunk_disk_size = SizeWithPadding(chunk_size);
@@ -205,9 +206,14 @@ WebPMux* WebPMuxCreateInternal(const Web
     goto Err;  // First chunk should be VP8, VP8L or VP8X.
   }
 
-  riff_size = SizeWithPadding(GetLE32(data + TAG_SIZE));
+  riff_size = GetLE32(data + TAG_SIZE);
+  if (riff_size > MAX_CHUNK_PAYLOAD) goto Err;
+
+  // Note this padding is historical and differs from demux.c which does not
+  // pad the file size.
+  riff_size = SizeWithPadding(riff_size);
   if (riff_size < CHUNK_HEADER_SIZE) goto Err;
-  if (riff_size > MAX_CHUNK_PAYLOAD || riff_size > size) goto Err;
+  if (riff_size > size) goto Err;
   // There's no point in reading past the end of the RIFF chunk.
   if (size > riff_size + CHUNK_HEADER_SIZE) {
     size = riff_size + CHUNK_HEADER_SIZE;

Places

File libwebp-CVE-2020-36331.patch of Package libwebp.24379

Places