invalid read (array overrun) at GetMetaIndex() in 0.4.0

[GoogleCodeExporter]

What steps will reproduce the problem?
1. An image of size 64x4096 with alpha (size is unusual).
2. (The particular .webp file that causes the problem is attached.)
3.

What is the expected output? What do you see instead?

Segfault.

What version of the product are you using? On what operating system?

libwebp 0.4.0

64-bit Linux Debian.

Please provide any additional information below.

Overruns a C array at GetMetaIndex() vp8l.c:612 :
  return image[xsize * (y >> bits) + (x >> bits)];

Downgraded to libwebp 0.3.1 which doesn't have this memory problem.

From Valgrind:

==8147== Invalid read of size 4
==8147==    at 0x5D934F: GetMetaIndex (vp8l.c:612)
==8147==    by 0x5D938B: GetHtreeGroupForPos (vp8l.c:617)
==8147==    by 0x5D992B: DecodeAlphaData (vp8l.c:736)
==8147==    by 0x5DB0ED: VP8LDecodeAlphaImageStream (vp8l.c:1300)
==8147==    by 0x5CE577: ALPHDecode (alpha.c:101)
==8147==    by 0x5CE775: VP8DecompressAlphaRows (alpha.c:150)
==8147==    by 0x5CFB65: FinishRow (frame.c:289)
==8147==    by 0x5CFF1F: VP8ProcessRow (frame.c:346)
==8147==    by 0x5D77B3: ParseFrame (vp8.c:636)
==8147==    by 0x5D7927: VP8Decode (vp8.c:681)
==8147==    by 0x5DC331: DecodeInto (webp.c:486)
==8147==    by 0x5DC859: Decode (webp.c:616)
==8147==    by 0x5DC929: WebPDecodeRGBA (webp.c:633)

Original issue reported on code.google.com by jimbl...@gmail.com on 27 Mar 2014 at 12:13

• Merged into: #193

Attachments:

• cumulus_YsBJY17mMJZF.webp

[GoogleCodeExporter]

i can reproduce the problem (without bypass_filtering=1) using 'dwebp' simply.

The problem was introduced by https://gerrit.chromium.org/gerrit/#/c/58250/
So, yes libwebp-0.3.1 doesn't have this issue.

It should be fixed with https://gerrit.chromium.org/gerrit/#/c/69363/

Original comment by pascal.m...@gmail.com on 27 Mar 2014 at 3:58

• Changed state: Duplicate