Fix copy-paste error in WebPImage::inject_VP8X height check#9280
Fix copy-paste error in WebPImage::inject_VP8X height check#9280MarkLee131 wants to merge 1 commit intoExiv2:mainfrom
Conversation
Line 773 checks width > 0 instead of height > 0. This was introduced in commit bf151a1. When height is 0, the enforce does not catch it and height - 1 wraps as an unsigned integer. Change the check to validate height instead of width.
There was a problem hiding this comment.
Pull request overview
Fixes a copy/paste validation bug in WebPImage::inject_VP8X where the height field was not properly validated, allowing height - 1 to underflow and write an incorrect VP8X height value for malformed WebP inputs.
Changes:
- Correct
Internal::enforce(...)to validateheight > 0(instead of checkingwidth > 0twice) before computingheight - 1.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /* set height - stored in 24bits */ | ||
| Internal::enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata); | ||
| Internal::enforce(height > 0, Exiv2::ErrorCode::kerCorruptedMetadata); | ||
| uint32_t h = height - 1; |
There was a problem hiding this comment.
Consider adding a regression/system test for this specific height==0 case (issue #9279). The repo already has WebP inject_VP8X regression coverage (e.g. tests/bugfixes/github/test_issue_2270.py), but there doesn't appear to be a test that exercises a malformed WebP leading to height==0 and verifies we fail with kerCorruptedMetadata rather than wrapping height-1.
Fix #9279:
Line 773 checks width > 0 instead of height > 0. This was introduced in commit bf151a1. When height is 0, the enforce does not catch it and height - 1 wraps as an unsigned integer.
Change the check to validate height instead of width.