Issue 508 in webp: Integer Overflow in demuxer
18 views
Skip to first unread message
dr2… via monorail
Feb 20, 2021, 10:26:22 AM2/20/21
to webp-d...@webmproject.org
Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 508 by dr2...@columbia.edu: Integer Overflow in demuxer
https://bugs.chromium.org/p/webp/issues/detail?id=508
What steps will reproduce the problem?
1. Call StoreFrame on large MemBuffer
What is the expected output? What do you see instead?
Large payload_size may overvlow payload_size_padded register by one
What version of the product are you using? On what operating system?
Latest version
Ubuntu 20.04
Please provide any additional information below.
https://sourcegraph.com/github.com/webmproject/libwebp@master/-/blob/src/demux/demux.c#L224
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 508 by dr2...@columbia.edu: Integer Overflow in demuxer
https://bugs.chromium.org/p/webp/issues/detail?id=508
What steps will reproduce the problem?
1. Call StoreFrame on large MemBuffer
What is the expected output? What do you see instead?
Large payload_size may overvlow payload_size_padded register by one
What version of the product are you using? On what operating system?
Latest version
Ubuntu 20.04
Please provide any additional information below.
https://sourcegraph.com/github.com/webmproject/libwebp@master/-/blob/src/demux/demux.c#L224
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
jz… via monorail
Feb 22, 2021, 6:55:28 PM2/22/21
to webp-d...@webmproject.org
Comment #1 on issue 508 by jz...@google.com: Integer Overflow in demuxer
https://bugs.chromium.org/p/webp/issues/detail?id=508#c1
Thanks for the report. payload_size is validated at line 229, but that does come after the calculation so I could see it triggering a sanitizer warning (though the behavior is defined in this case).
Git Watcher via monorail
May 17, 2021, 2:17:08 PM5/17/21
to webp-d...@webmproject.org
Comment #4 on issue 508 by Git Watcher: Integer Overflow in demuxer
https://bugs.chromium.org/p/webp/issues/detail?id=508#c4
The following revision refers to this bug:
https://chromium.googlesource.com/webm/libwebp/+/6fb4cddc93f2b9daf85a313b81303eca5519ac51
commit 6fb4cddc93f2b9daf85a313b81303eca5519ac51
Author: James Zern <jz...@google.com>
Date: Sat May 15 17:59:06 2021
demux: move padded size calc post unpadded validation
though the max chunk/payload sizes were checked and would fail the
padded size was being calculated beforehand which could result in a
(harmless) unsigned int overflow warning.
Bug: webp:508
Change-Id: I4fa30ded2b027c1577b03049a2deeb7bf75e5472
[modify] https://crrev.com/6fb4cddc93f2b9daf85a313b81303eca5519ac51/src/demux/demux.c
jz… via monorail
May 17, 2021, 4:20:39 PM5/17/21
to webp-d...@webmproject.org
Updates:
Labels: v1.2.1
Status: Fixed
Comment #5 on issue 508 by jz...@google.com: Integer Overflow in demuxer
https://bugs.chromium.org/p/webp/issues/detail?id=508#c5
Thanks for the report. This should be fixed now and will be available in 1.2.1. Feel free to reopen or file a new issue if there's something that was missed.
Labels: v1.2.1
Status: Fixed
Comment #5 on issue 508 by jz...@google.com: Integer Overflow in demuxer
https://bugs.chromium.org/p/webp/issues/detail?id=508#c5
Thanks for the report. This should be fixed now and will be available in 1.2.1. Feel free to reopen or file a new issue if there's something that was missed.
Reply all
Reply to author
Forward
0 new messages