penfeizhou
commented
11 months ago No,it's not affected.
Closed licaon-kter closed 10 months ago
penfeizhou
commented
11 months ago No,it's not affected.
licaon-kter
commented
11 months ago You're using which en/decoder? System one or some other lib?
penfeizhou
commented
11 months ago This library uses android's system decoder. And it's only used for decoding static bitmap.So it's not related.
penfeizhou
commented
11 months ago The original animated webp binary data will be parsed and reorganized into several still webp data.Then we use android's system decoder to decode into bitmap.That's how it works.
licaon-kter
commented
11 months ago afaik, Google patched the system decoder too, hence if that's vulnerable (how much % of users still get at least security updates today?) your lib might be too while parsing or whatever, but this is outside of your control of course.
/LE: this lib tries to bypass the system somewhat and avoid such an issue https://github.com/zjupure/GlideWebpDecoder/releases/tag/2.6
/LE: more detailed info on the issue: https://blog.isosceles.com/the-webp-0day/
Is this lib affected by CVE-2023-4863? Since it supports opening WebP them it would make sense. Also if it fixed in latest update let us know in changelog as this bug is critical.