Google Git
Sign in
skia/external/github.com/AOMediaCodec/libavif/refs/heads/progressive_use_after_free^!/.
commit
9979c8956bc8bb07f1fc7d5bb57e3b3a3cec945d
[log]
author
Joe Drago <jdrago@netflix.com>
Thu Aug 19 02:24:31 2021 -0700
committer
Joe Drago <jdrago@netflix.com>
Thu Aug 19 02:24:31 2021 -0700
tree
a1336b132cb4bbd7055f5ac4239acd6538568b6a
parent
bd1492e1812fff842c31c0f4da84d48f1349265c [diff]
When creating the read buffer in avifDecoderItemRead(), always make the buffer the item's full size

This avoids progressive image partial item reads causing reallocs of this buffer, which can cause
dangling pointers in the underlying AV1 decoders (use-after-free). As the natural pattern of this
type of usage is to ultimately decode the final image, those additional reallocations are also
typically unnecessary overhead, as we'll eventually be using this sized buffer anyway.

This should address Chromium issue 1239472.

diff --git a/src/read.c b/src/read.c
index 667ff2f..8c0ef8a 100644
--- a/src/read.c
+++ b/src/read.c

@@ -1045,7 +1045,13 @@
     // preexisting buffer.
     avifBool singlePersistentBuffer = ((item->extents.count == 1) && (idatBuffer || io->persistent));
     if (!singlePersistentBuffer) {
-        avifRWDataRealloc(&item->mergedExtents, totalBytesToRead);
+        // Always allocate the item's full size here, as progressive image decodes will do partial
+        // reads into this buffer and begin feeding the buffer to the underlying AV1 decoder, but
+        // will then write more into this buffer without flushing the AV1 decoder (which is still
+        // holding the address of the previous allocation of this buffer). This strategy avoids
+        // use-after-free issues in the AV1 decoder and unnecessary reallocs as a typical
+        // progressive decode use case will eventually decode the final layer anyway.
+        avifRWDataRealloc(&item->mergedExtents, item->size);
         item->ownsMergedExtents = AVIF_TRUE;
     }