Ladybird/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-06-09 17:44:56 +09:00
Code Activity

LibCompress: Tolerate more than 288 entries in CanonicalCode

Browse source 
Webp lossless can have up to 2328 symbols. This code assumed the deflate
max of 288, leading to crashes for webp lossless files using more than
288 symbols (such as Tests/LibGfx/test-inputs/simple-vp8l.webp).

Nothing writes webp files at this point, so the m_bit_codes and
m_bit_code_lengths arrays aren't ever used in practice with more than
288 entries.
This commit is contained in:
Nico Weber 2023-04-04 11:04:54 -04:00 committed by Linus Groh
parent 55b2977d5d
commit 6d38824985
Notes: sideshowbarker 2024-07-17 02:57:43 +09:00
2 changed files with 15 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
Userland/Libraries/LibCompress/Deflate.cpp
View file

@ -69,6 +69,10 @@ ErrorOr<CanonicalCode> CanonicalCode::from_bytes(ReadonlyBytes bytes)
code.m_prefix_table[1] = code.m_prefix_table[0]; code.m_prefix_table[1] = code.m_prefix_table[0];
code.m_max_prefixed_code_length = 1; code.m_max_prefixed_code_length = 1;
if (code.m_bit_codes.size() < static_cast<size_t>(last_non_zero + 1)) {
TRY(code.m_bit_codes.try_resize(last_non_zero + 1));
TRY(code.m_bit_code_lengths.try_resize(last_non_zero + 1));
}
code.m_bit_codes[last_non_zero] = 0; code.m_bit_codes[last_non_zero] = 0;
code.m_bit_code_lengths[last_non_zero] = 1; code.m_bit_code_lengths[last_non_zero] = 1;
@ -107,6 +111,10 @@ ErrorOr<CanonicalCode> CanonicalCode::from_bytes(ReadonlyBytes bytes)
code.m_symbol_values.append(symbol); code.m_symbol_values.append(symbol);
} }
if (code.m_bit_codes.size() < symbol + 1) {
TRY(code.m_bit_codes.try_resize(symbol + 1));
TRY(code.m_bit_code_lengths.try_resize(symbol + 1));
}
code.m_bit_codes[symbol] = fast_reverse16(start_bit | next_code, code_length); // DEFLATE writes huffman encoded symbols as lsb-first code.m_bit_codes[symbol] = fast_reverse16(start_bit | next_code, code_length); // DEFLATE writes huffman encoded symbols as lsb-first
code.m_bit_code_lengths[symbol] = code_length; code.m_bit_code_lengths[symbol] = code_length;
@ -159,7 +167,9 @@ ErrorOr<u32> CanonicalCode::read_symbol(LittleEndianInputBitStream& stream) cons
ErrorOr<void> CanonicalCode::write_symbol(LittleEndianOutputBitStream& stream, u32 symbol) const ErrorOr<void> CanonicalCode::write_symbol(LittleEndianOutputBitStream& stream, u32 symbol) const
{ {
TRY(stream.write_bits(m_bit_codes[symbol], m_bit_code_lengths[symbol])); auto code = symbol < m_bit_codes.size() ? m_bit_codes[symbol] : 0u;
auto length = symbol < m_bit_code_lengths.size() ? m_bit_code_lengths[symbol] : 0u;
TRY(stream.write_bits(code, length));
return {}; return {};
} }

6
Userland/Libraries/LibCompress/Deflate.h
View file

@ -45,8 +45,10 @@ private:
size_t m_max_prefixed_code_length { 0 }; size_t m_max_prefixed_code_length { 0 };
// Compression - indexed by symbol // Compression - indexed by symbol
Array<u16, 288> m_bit_codes {}; // deflate uses a maximum of 288 symbols (maximum of 32 for distances) // Deflate uses a maximum of 288 symbols (maximum of 32 for distances),
Array<u16, 288> m_bit_code_lengths {}; // but this is also used by webp, which can use up to 256 + 24 + (1 << 11) == 2328 symbols.
Vector<u16, 288> m_bit_codes {};
Vector<u16, 288> m_bit_code_lengths {};
}; };
class DeflateDecompressor final : public Stream { class DeflateDecompressor final : public Stream {