Closed licaon-kter closed 10 months ago
No,it's not affected.
You're using which en/decoder? System one or some other lib?
This library uses android's system decoder. And it's only used for decoding static bitmap.So it's not related.
The original animated webp binary data will be parsed and reorganized into several still webp data.Then we use android's system decoder to decode into bitmap.That's how it works.
afaik, Google patched the system decoder too, hence if that's vulnerable (how much % of users still get at least security updates today?) your lib might be too while parsing or whatever, but this is outside of your control of course.
/LE: this lib tries to bypass the system somewhat and avoid such an issue https://github.com/zjupure/GlideWebpDecoder/releases/tag/2.6
/LE: more detailed info on the issue: https://blog.isosceles.com/the-webp-0day/
Is this lib affected by CVE-2023-4863? Since it supports opening WebP them it would make sense. Also if it fixed in latest update let us know in changelog as this bug is critical.