webp: Do not panic on overflow if size is maximum

image-rs · Oct 2, 2021 · f17e4af · f17e4af
1 parent 702c1e7
commit f17e4af
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -31,7 +31,7 @@ jpeg = { package = "jpeg-decoder", version = "0.1.22", default-features = false,
 png = { version = "0.16.5", optional = true }
 scoped_threadpool = { version = "0.1", optional = true }
 tiff = { version = "0.6.0", optional = true }
-ravif = { version = "0.7.0", optional = true }
+ravif = { version = "0.8.0", optional = true }
 rgb = { version = "0.8.25", optional = true }
 mp4parse = { version = "0.11.5", optional = true }
 dav1d = { version = "0.6.0", optional = true }

diff --git a/src/codecs/webp/decoder.rs b/src/codecs/webp/decoder.rs
@@ -106,13 +106,17 @@ impl<R: Read> WebPDecoder<R> {
                     )));
                 }
                 _ => {
-                    let mut len = self.r.read_u32::<LittleEndian>()?;
+                    let mut len = u64::from(self.r.read_u32::<LittleEndian>()?);
+
                     if len % 2 != 0 {
                         // RIFF chunks containing an uneven number of bytes append
                         // an extra 0x00 at the end of the chunk
+                        //
+                        // The addition cannot overflow since we have a u64 that was created from a u32
                         len += 1;
                     }
-                    io::copy(&mut self.r.by_ref().take(len as u64), &mut io::sink())?;
+
+                    io::copy(&mut self.r.by_ref().take(len), &mut io::sink())?;
                 }
             }
         }
@@ -183,3 +187,23 @@ impl<'a, R: 'a + Read> ImageDecoder<'a> for WebPDecoder<R> {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn add_with_overflow_size() {
+        let bytes = vec![0x52, 0x49, 0x46, 0x46, 0xaf, 0x37, 0x80, 0x47, 0x57, 0x45, 0x42, 0x50,
+                        0x6c, 0x64, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xfb, 0x7e, 0x73, 0x00,
+                        0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
+                        0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x40, 0xfb, 0xff, 0xff, 0x65, 0x65,
+                        0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x00, 0x00, 0x00,
+                        0x62, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x49, 0x54,
+                        0x55, 0x50, 0x4c, 0x54, 0x59, 0x50, 0x45, 0x33, 0x37, 0x44, 0x4d, 0x46];
+
+        let data = std::io::Cursor::new(bytes);
+
+        let _ = WebPDecoder::new(data);
+    }
+}