webp: disallow multiple VP8X chunks

Per the spec, there should only be one. A malformed image containing
multiple VP8X chunks can cause unexpected memory usage, since
DecodeConfig will only parse the first chunk, which contains the canvas
size, but a subsequent chunk can indicate a significantly larger canvas,
which we will then try to allocate a buffer for.

Change-Id: I240ae76162f4293f6e6991020d18d4d3270cb9b6
Reviewed-on: https://go-review.googlesource.com/c/image/+/551416
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>

webp/decode.go

@@ -39,6 +39,7 @@ func decode(r io.Reader, configOnly bool) (image.Image, image.Config, error) {
 		alpha          []byte
 		alphaStride    int
 		wantAlpha      bool
+		seenVP8X       bool
 		widthMinusOne  uint32
 		heightMinusOne uint32
 		buf            [10]byte
@@ -113,6 +114,10 @@ func decode(r io.Reader, configOnly bool) (image.Image, image.Config, error) {
 			return m, image.Config{}, err
 
 		case fccVP8X:
+			if seenVP8X {
+				return nil, image.Config{}, errInvalidFormat
+			}
+			seenVP8X = true
 			if chunkLen != 10 {
 				return nil, image.Config{}, errInvalidFormat
 			}

webp/decode_test.go

@@ -271,6 +271,14 @@ func TestDecodePartitionTooLarge(t *testing.T) {
 	}
 }
 
+func TestDuplicateVP8X(t *testing.T) {
+	data := []byte{'R', 'I', 'F', 'F', 49, 0, 0, 0, 'W', 'E', 'B', 'P', 'V', 'P', '8', 'X', 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 'V', 'P', '8', 'X', 10, 0, 0, 0, 0x10, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+	_, err := Decode(bytes.NewReader(data))
+	if err != errInvalidFormat {
+		t.Fatalf("unexpected error: want %q, got %q", errInvalidFormat, err)
+	}
+}
+
 func benchmarkDecode(b *testing.B, filename string) {
 	data, err := ioutil.ReadFile("../testdata/blue-purple-pink-large." + filename + ".webp")
 	if err != nil {