libwebp: upstream canvas size check cherry-picks

third_party/libwebp/dec/webp.c

 // Copyright 2010 Google Inc. All Rights Reserved.
 //
 // Use of this source code is governed by a BSD-style license
 // that can be found in the COPYING file in the root of the source
 // tree. An additional intellectual property rights grant can be found
 // in the file PATENTS. All contributing project authors may
 // be found in the AUTHORS file in the root of the source tree.
 // -----------------------------------------------------------------------------
 //
 // Main decoding functions for WEBP images.
@@ skipping 268 matching lines @@
 // RIFF + VP8X + (optional chunks) + VP8(L)
 // ALPH + VP8 <-- Not a valid WebP format: only allowed for internal purpose.
 // VP8(L)     <-- Not a valid WebP format: only allowed for internal purpose.
 static VP8StatusCode ParseHeadersInternal(const uint8_t* data,
                                           size_t data_size,
                                           int* const width,
                                           int* const height,
                                           int* const has_alpha,
                                           int* const has_animation,
                                           WebPHeaderStructure* const headers) {
+  int canvas_width = 0;
+  int canvas_height = 0;
+  int image_width = 0;
+  int image_height = 0;
   int found_riff = 0;
   int found_vp8x = 0;
   VP8StatusCode status;
   WebPHeaderStructure hdrs;
 
   if (data == NULL || data_size < RIFF_HEADER_SIZE) {
     return VP8_STATUS_NOT_ENOUGH_DATA;
   }
   memset(&hdrs, 0, sizeof(hdrs));
   hdrs.data = data;
   hdrs.data_size = data_size;
 
   // Skip over RIFF header.
   status = ParseRIFF(&data, &data_size, &hdrs.riff_size);
   if (status != VP8_STATUS_OK) {
     return status;   // Wrong RIFF header / insufficient data.
   }
   found_riff = (hdrs.riff_size > 0);
 
   // Skip over VP8X.
   {
     uint32_t flags = 0;
-    status = ParseVP8X(&data, &data_size, &found_vp8x, width, height, &flags);
+    int animation_present;
+    status = ParseVP8X(&data, &data_size, &found_vp8x,
+                       &canvas_width, &canvas_height, &flags);
     if (status != VP8_STATUS_OK) {
       return status;  // Wrong VP8X / insufficient data.
     }
+    animation_present = !!(flags & ANIMATION_FLAG);
     if (!found_riff && found_vp8x) {
       // Note: This restriction may be removed in the future, if it becomes
       // necessary to send VP8X chunk to the decoder.
       return VP8_STATUS_BITSTREAM_ERROR;
     }
     if (has_alpha != NULL) *has_alpha = !!(flags & ALPHA_FLAG);
-    if (has_animation != NULL) *has_animation = !!(flags & ANIMATION_FLAG);
-    if (found_vp8x && headers == NULL) {
-      return VP8_STATUS_OK;  // Return features from VP8X header.
+    if (has_animation != NULL) *has_animation = animation_present;
+
+    if (found_vp8x && animation_present && headers == NULL) {
+      if (width != NULL) *width = canvas_width;
+      if (height != NULL) *height = canvas_height;
+      return VP8_STATUS_OK;  // Just return features from VP8X header.
     }
   }
 
   if (data_size < TAG_SIZE) return VP8_STATUS_NOT_ENOUGH_DATA;
 
   // Skip over optional chunks if data started with "RIFF + VP8X" or "ALPH".
   if ((found_riff && found_vp8x) ||
       (!found_riff && !found_vp8x && !memcmp(data, "ALPH", TAG_SIZE))) {
     status = ParseOptionalChunks(&data, &data_size, hdrs.riff_size,
                                  &hdrs.alpha_data, &hdrs.alpha_data_size);
@@ skipping 10 matching lines @@
   }
   if (hdrs.compressed_size > MAX_CHUNK_PAYLOAD) {
     return VP8_STATUS_BITSTREAM_ERROR;
   }
 
   if (!hdrs.is_lossless) {
     if (data_size < VP8_FRAME_HEADER_SIZE) {
       return VP8_STATUS_NOT_ENOUGH_DATA;
     }
     // Validates raw VP8 data.
-    if (!VP8GetInfo(data, data_size,
-                    (uint32_t)hdrs.compressed_size, width, height)) {
+    if (!VP8GetInfo(data, data_size, (uint32_t)hdrs.compressed_size,
+                    &image_width, &image_height)) {
       return VP8_STATUS_BITSTREAM_ERROR;
     }
   } else {
     if (data_size < VP8L_FRAME_HEADER_SIZE) {
       return VP8_STATUS_NOT_ENOUGH_DATA;
     }
     // Validates raw VP8L data.
-    if (!VP8LGetInfo(data, data_size, width, height, has_alpha)) {
+    if (!VP8LGetInfo(data, data_size, &image_width, &image_height, has_alpha)) {
       return VP8_STATUS_BITSTREAM_ERROR;
     }
   }
-
+  // Validates image size coherency. TODO(urvang): what about FRGM?
+  if (found_vp8x) {
+    if (canvas_width != image_width || canvas_height != image_height) {
+      return VP8_STATUS_BITSTREAM_ERROR;
+    }
+  }
+  if (width != NULL) *width = image_width;
+  if (height != NULL) *height = image_height;
   if (has_alpha != NULL) {
     // If the data did not contain a VP8X/VP8L chunk the only definitive way
     // to set this is by looking for alpha data (from an ALPH chunk).
     *has_alpha |= (hdrs.alpha_data != NULL);
   }
   if (headers != NULL) {
     *headers = hdrs;
     headers->offset = data - headers->data;
     assert((uint64_t)(data - headers->data) < MAX_CHUNK_PAYLOAD);
     assert(headers->offset == headers->data_size - data_size);
@@ skipping 404 matching lines @@
     io->fancy_upsampling = 0;
   }
   return 1;
 }
 
 //------------------------------------------------------------------------------
 
 #if defined(__cplusplus) || defined(c_plusplus)
 }    // extern "C"
 #endif