Hi,
https://blog.isosceles.com/the-webp-0day/ The trigger call stack entry described in it is WebPDecode.
Some other third-party open source software(such as GlideWebpDecoder) will rely on libwebp,
they will decide whether to use the system's decoding function or their own libwebp based on the Android version.
public static Bitmap decodeStream(InputStream is, Rect outPadding, BitmapFactory.Options opts) {
// we don't throw in this case, thus allowing the caller to only check
// the cache, and not force the image to be decoded.
if (is == null) {
return null;
}
is = wrapToMarkSupportedStream(is);
Bitmap bm;
byte[] header = getImageHeader(is);
if (webpSupportRequired(header, 0, MAX_WEBP_HEADER_SIZE)) {
bm = nativeDecodeStream(
is,
opts,
getScaleFromOptions(opts),
getInTempStorageFromOptions(opts));
setWebpBitmapOptions(bm, opts);
setDefaultPadding(outPadding);
} else {
// system decode method used
bm = BitmapFactory.decodeStream(is, outPadding, opts);
}
return bm;
}
I found that the WebPFrame nativeRenderFrame function also calls WebPDecode in its code. Is this function also likely to be affected by the vulnerability?