From acee2894ceb91616543927c2a6e45050c60f98f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>
Date: Sat, 27 Jul 2019 20:42:51 -0400
Subject: [PATCH 21/91] Bug #12 - Invalid WebP cause memory overflow.

https://gitlab.freedesktop.org/libopenraw/exempi/issues/12
---
 XMPFiles/source/FormatSupport/WEBP_Support.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/XMPFiles/source/FormatSupport/WEBP_Support.cpp b/XMPFiles/source/FormatSupport/WEBP_Support.cpp
index 2c2ba12..63f9f60 100644
--- a/XMPFiles/source/FormatSupport/WEBP_Support.cpp
+++ b/XMPFiles/source/FormatSupport/WEBP_Support.cpp
@@ -120,10 +120,16 @@ VP8XChunk::VP8XChunk(Container* parent_)
     this->data.assign(this->size, 0);
     XMP_Uns8* bitstream =
         (XMP_Uns8*)parent->chunks[WEBP_CHUNK_IMAGE][0]->data.data();
+    XMP_Uns32 width = 0;
+    XMP_Uns32 height = 0;
     // See bug https://bugs.freedesktop.org/show_bug.cgi?id=105247
     // bitstream could be NULL.
-    XMP_Uns32 width = bitstream ? ((bitstream[7] << 8) | bitstream[6]) & 0x3fff : 0;
-    XMP_Uns32 height = bitstream ? ((bitstream[9] << 8) | bitstream[8]) & 0x3fff : 0;
+    // See bug https://gitlab.freedesktop.org/libopenraw/exempi/issues/12
+    // image chunk data could be too short (must be 10)
+    if (parent->chunks[WEBP_CHUNK_IMAGE][0]->data.size() >= 10 && bitstream) {
+      width = ((bitstream[7] << 8) | bitstream[6]) & 0x3fff;
+      height = ((bitstream[9] << 8) | bitstream[8]) & 0x3fff;
+    }
     this->width(width);
     this->height(height);
     parent->vp8x = this;
-- 
2.33.0