From 3d497b5e9289d5c5e3c40c2d64bcbe69ca6be922 Mon Sep 17 00:00:00 2001 From: 5225225 <5225225@mailbox.org> Date: Sat, 2 Oct 2021 17:36:31 +0100 Subject: [PATCH] webp: Do not panic on overflow if size is maximum --- src/codecs/webp/decoder.rs | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/src/codecs/webp/decoder.rs b/src/codecs/webp/decoder.rs index b4c973e7f7..d3dfb61679 100644 --- a/src/codecs/webp/decoder.rs +++ b/src/codecs/webp/decoder.rs @@ -106,13 +106,17 @@ impl WebPDecoder { ))); } _ => { - let mut len = self.r.read_u32::()?; + let mut len = u64::from(self.r.read_u32::()?); + if len % 2 != 0 { // RIFF chunks containing an uneven number of bytes append // an extra 0x00 at the end of the chunk + // + // The addition cannot overflow since we have a u64 that was created from a u32 len += 1; } - io::copy(&mut self.r.by_ref().take(len as u64), &mut io::sink())?; + + io::copy(&mut self.r.by_ref().take(len), &mut io::sink())?; } } } @@ -183,3 +187,23 @@ impl<'a, R: 'a + Read> ImageDecoder<'a> for WebPDecoder { Ok(()) } } + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn add_with_overflow_size() { + let bytes = vec![0x52, 0x49, 0x46, 0x46, 0xaf, 0x37, 0x80, 0x47, 0x57, 0x45, 0x42, 0x50, + 0x6c, 0x64, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xfb, 0x7e, 0x73, 0x00, + 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x40, 0xfb, 0xff, 0xff, 0x65, 0x65, + 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x00, 0x00, 0x00, + 0x62, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x49, 0x54, + 0x55, 0x50, 0x4c, 0x54, 0x59, 0x50, 0x45, 0x33, 0x37, 0x44, 0x4d, 0x46]; + + let data = std::io::Cursor::new(bytes); + + let _ = WebPDecoder::new(data); + } +}