packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
firefox/CVE-2023-4863-2.patch
Jiayi Yin 3f5b6d926c init
2025-03-17 09:32:30 +00:00

50 lines
2.1 KiB
Diff
Raw Permalink Blame History

# HG changeset patch
# User Timothy Nikkel <tnikkel@gmail.com>
# Date 1694697417 0
# Node ID cbbf997c33890c2c49d24079db83b6ebb74cd7d8
# Parent 1aa227e40ab488aa065fe035debff0615f67b1f1
Bug 1852749. Cherry-pick upstream libwebp fix. r=gfx-reviewers,lsalzman a=RyanVM
https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520
Differential Revision: https://phabricator.services.mozilla.com/D188066
diff --git a/media/libwebp/src/dec/vp8l_dec.c b/media/libwebp/src/dec/vp8l_dec.c
--- a/media/libwebp/src/dec/vp8l_dec.c
+++ b/media/libwebp/src/dec/vp8l_dec.c
@@ -1236,19 +1236,30 @@ static int DecodeImageData(VP8LDecoder*
*src = VP8LColorCacheLookup(color_cache, key);
goto AdvanceByOne;
} else { // Not reached
goto Error;
}
}
br->eos_ = VP8LIsEndOfStream(br);
- if (dec->incremental_ && br->eos_ && src < src_end) {
+ // In incremental decoding:
+ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
+ // be reset until there is more data.
+ // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+ // fully read, either enough has been read to reach 'src_last'.
+ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
+ // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+ // The buffer might have been enough or there is some left. 'br->eos_' does
+ // not matter.
+ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
+ if (dec->incremental_ && br->eos_ && src < src_last) {
RestoreState(dec);
- } else if (!br->eos_) {
+ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
// Process the remaining rows corresponding to last row-block.
if (process_func != NULL) {
process_func(dec, row > last_row ? last_row : row);
}
dec->status_ = VP8_STATUS_OK;
dec->last_pixel_ = (int)(src - data); // end-of-scan marker
} else {
// if not incremental, and we are past the end of buffer (eos_=1), then this
Reference in New Issue View Git Blame Copy Permalink