File libwebp-CVE-2018-25010.patch of Package libwebp.30679

Overview Repositories Revisions Requests Users Attributes Meta

File libwebp-CVE-2018-25010.patch of Package libwebp.30679

From 1344a2e947c749d231141a295327e5b99b444d63 Mon Sep 17 00:00:00 2001
From: Pascal Massimino <skal@google.com>
Date: Fri, 29 Jun 2018 10:15:47 -0700
Subject: [PATCH] fix alpha-filtering crash when image width is larger than
 radius

(we also limit radius based on height too, for good measure, although it's not an asan bug)

fixes oss-fuzz issue #9105

Change-Id: Ie0d79dd81480dc4e2b653b7e992e5cdcd3dfa834

Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libwebp-0.5.0.orig/src/utils/quant_levels_dec.c libwebp-0.5.0/src/utils/quant_levels_dec.c
--- libwebp-0.5.0.orig/src/utils/quant_levels_dec.c	2015-12-18 02:04:24.000000000 -0600
+++ libwebp-0.5.0/src/utils/quant_levels_dec.c	2021-05-13 11:01:06.655248455 -0500
@@ -255,9 +255,15 @@ static void CleanupParams(SmoothParams*
 
 int WebPDequantizeLevels(uint8_t* const data, int width, int height,
                          int strength) {
-  const int radius = 4 * strength / 100;
+  int radius = 4 * strength / 100;
+
   if (strength < 0 || strength > 100) return 0;
   if (data == NULL || width <= 0 || height <= 0) return 0;  // bad params
+
+  // limit the filter size to not exceed the image dimensions
+  if (2 * radius + 1 > width) radius = (width - 1) >> 1;
+  if (2 * radius + 1 > height) radius = (height - 1) >> 1;
+
   if (radius > 0) {
     SmoothParams p;
     memset(&p, 0, sizeof(p));

Places

File libwebp-CVE-2018-25010.patch of Package libwebp.30679

Places