libwebp: cherry-pick some demux changes

these make the demuxer more strict when parsing files with VP8X flags that don't match the data. e18e667 demux: strictly enforce the animation flag 61cb884 demux: (non-exp) fail if the fragmented flag is set BUG=317284 R=urvang@google.com TBR=fbarchard Review URL: https://codereview.chromium.org/60863004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@235867 0039d316-1c4b-4281-b951-d872f2087c98

libwebp: cherry-pick some demux changes
these make the demuxer more strict when parsing files with VP8X flags that don't match the data. e18e667 demux: strictly enforce the animation flag 61cb884 demux: (non-exp) fail if the fragmented flag is set BUG=317284 R=urvang@google.com TBR=fbarchard Review URL: https://codereview.chromium.org/60863004 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@235867 0039d316-1c4b-4281-b951-d872f2087c98
7bd60872 · urvang@google.com · 63b1b6de · 7bd60872 · 7bd60872
Commit 7bd60872 authored Nov 19, 2013 by urvang@google.com
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletion

third_party/libwebp/README.chromium third_party/libwebp/README.chromium +2 -0

third_party/libwebp/demux/demux.c third_party/libwebp/demux/demux.c +9 -1

No files found.
--- a/third_party/libwebp/README.chromium
+++ b/third_party/libwebp/README.chromium
@@ -29,3 +29,5 @@ Cherry-picks:
  92d47e4 improve VP8L signature detection by checking the version bits too
  dde91fd Demux: Correct the extended format validation
  96ad0e0 VPLBitReader: Catch error if bit_pos > LBITS.
+  e18e667 demux: strictly enforce the animation flag
+  61cb884 demux: (non-exp) fail if the fragmented flag is set
--- a/third_party/libwebp/demux/demux.c
+++ b/third_party/libwebp/demux/demux.c
@@ -509,8 +509,9 @@ static ParseStatus ParseVP8X(WebPDemuxer* const dmux) {
      case MKFOURCC('A', 'L', 'P', 'H'):
      case MKFOURCC('V', 'P', '8', ' '):
      case MKFOURCC('V', 'P', '8', 'L'): {
+        const int has_frames = !!(dmux->feature_flags_ & ANIMATION_FLAG);
        // check that this isn't an animation (all frames should be in an ANMF).
-        if (anim_chunks > 0) return PARSE_ERROR;
+        if (anim_chunks > 0 || has_frames) return PARSE_ERROR;

        Rewind(mem, CHUNK_HEADER_SIZE);
        status = ParseSingleImage(dmux);
@@ -599,6 +600,8 @@ static int IsValidSimpleFormat(const WebPDemuxer* const dmux) {

 // If 'exact' is true, check that the image resolution matches the canvas.
 // If 'exact' is false, check that the x/y offsets do not exceed the canvas.
+// TODO(jzern): this is insufficient in the fragmented image case if the
+// expectation is that the fragments completely cover the canvas.
 static int CheckFrameBounds(const Frame* const frame, int exact,
                            int canvas_width, int canvas_height) {
  if (exact) {
@@ -626,6 +629,9 @@ static int IsValidExtendedFormat(const WebPDemuxer* const dmux) {
  if (dmux->canvas_width_ <= 0 || dmux->canvas_height_ <= 0) return 0;
  if (dmux->loop_count_ < 0) return 0;
  if (dmux->state_ == WEBP_DEMUX_DONE && dmux->frames_ == NULL) return 0;
+#ifndef WEBP_EXPERIMENTAL_FEATURES
+  if (has_fragments) return 0;
+#endif

  while (f != NULL) {
    const int cur_frame_set = f->frame_num_;
@@ -637,8 +643,10 @@ static int IsValidExtendedFormat(const WebPDemuxer* const dmux) {
      const ChunkData* const image = f->img_components_;
      const ChunkData* const alpha = f->img_components_ + 1;

+      if (has_fragments && !f->is_fragment_) return 0;
      if (!has_fragments && f->is_fragment_) return 0;
      if (!has_frames && f->frame_num_ > 1) return 0;
+
      if (f->complete_) {
        if (alpha->size_ == 0 && image->size_ == 0) return 0;
        // Ensure alpha precedes image bitstream.