diff options
| author | Nico Weber <thakis@chromium.org> | 2023-04-04 20:09:13 -0400 |
|---|---|---|
| committer | Linus Groh <mail@linusgroh.de> | 2023-04-07 09:47:04 +0200 |
| commit | 2fc682c03368d105539977231f84ea95970a1c60 (patch) | |
| tree | e9a7097e48b31b1a233967684a1aec8d06bd24f3 | |
| parent | ae1f7124acca7963e3c90f0e54894b9b3715e0a1 (diff) | |
| download | serenity-2fc682c03368d105539977231f84ea95970a1c60.zip | |
LibGfx: In webp decoder, check that each transform is used only once
| -rw-r--r-- | Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp index 00f94ff864..6434aa1ed6 100644 --- a/Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp +++ b/Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp @@ -648,6 +648,8 @@ static ErrorOr<void> decode_webp_chunk_VP8L(WebPLoadingContext& context, Chunk c // https://developers.google.com/speed/webp/docs/webp_lossless_bitstream_specification#72_structure_of_transforms // optional-transform = (%b1 transform optional-transform) / %b0 + // "Each transform is allowed to be used only once." + u8 seen_transforms = 0; while (TRY(bit_stream.read_bits(1))) { // transform = predictor-tx / color-tx / subtract-green-tx // transform =/ color-indexing-tx @@ -669,6 +671,12 @@ static ErrorOr<void> decode_webp_chunk_VP8L(WebPLoadingContext& context, Chunk c TransformType transform_type = static_cast<TransformType>(TRY(bit_stream.read_bits(2))); dbgln_if(WEBP_DEBUG, "transform type {}", (int)transform_type); + // Check that each transfom is used only once. + u8 mask = 1 << (int)transform_type; + if (seen_transforms & mask) + return context.error("WebPImageDecoderPlugin: transform type used multiple times"); + seen_transforms |= mask; + switch (transform_type) { case PREDICTOR_TRANSFORM: return context.error("WebPImageDecoderPlugin: VP8L PREDICTOR_TRANSFORM handling not yet implemented"); |