WebP/Lossy: Validate show_frame and version when reading header

author: Nico Weber <thakis@chromium.org> 2023-05-24 08:22:28 -0400
committer: Andreas Kling <kling@serenityos.org> 2023-05-24 16:09:40 +0200
commit: 703bd4c8a3e18dfb194017f48252d4497e753a08 (patch)
tree: 0d03fcc54256664f623616abca35d7309f0db195 /Userland/Libraries
parent: 5934c4ebfbce1f078a3f9fcdf7646afdca365af1 (diff)
download: serenity-703bd4c8a3e18dfb194017f48252d4497e753a08.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp b/Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp
index 2c9ea96e4b..41ab59d7b8 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp
@@ -43,7 +43,11 @@ ErrorOr<VP8Header> decode_webp_chunk_VP8_header(ReadonlyBytes vp8_data)
     if (!is_key_frame)
         return Error::from_string_literal("WebPImageDecoderPlugin: 'VP8 ' chunk not a key frame");
 
-    // FIXME: !show_frame does not make sense in a webp file either, probably?
+    if (!show_frame)
+        return Error::from_string_literal("WebPImageDecoderPlugin: 'VP8 ' chunk has invalid visibility for webp image");
+
+    if (version > 3)
+        return Error::from_string_literal("WebPImageDecoderPlugin: unknown version number in 'VP8 ' chunk");
 
     u32 start_code = data[3] | (data[4] << 8) | (data[5] << 16);
     if (start_code != 0x2a019d) // https://www.rfc-editor.org/errata/eid7370
author	Nico Weber <thakis@chromium.org>	2023-05-24 08:22:28 -0400
committer	Andreas Kling <kling@serenityos.org>	2023-05-24 16:09:40 +0200
commit	703bd4c8a3e18dfb194017f48252d4497e753a08 (patch)
tree	0d03fcc54256664f623616abca35d7309f0db195 /Userland/Libraries
parent	5934c4ebfbce1f078a3f9fcdf7646afdca365af1 (diff)
download	serenity-703bd4c8a3e18dfb194017f48252d4497e753a08.zip