Fix invalid incremental decoding check.

The first condition is only necessary if we have not read enough (enough being defined by src_last, not src_end which is the end of the image). The second condition now fits the comment below: "if not incremental, and we are past the end of buffer". BUG=oss-fuzz:62136 Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f
webmproject · Sep 12, 2023 · 95ea522 · 95ea522 · jacks0n9 · Oct 3, 2023
1 parent 902bc91
commit 95ea522
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c
@@ -1233,9 +1233,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data,
   }
 
   br->eos_ = VP8LIsEndOfStream(br);
-  if (dec->incremental_ && br->eos_ && src < src_end) {
+  // In incremental decoding:
+  // br->eos_ && src < src_last: if 'br' reached the end of the buffer and
+  // 'src_last' has not been reached yet, there is not enough data. 'dec' has to
+  // be reset until there is more data.
+  // !br->eos_ && src < src_last: this cannot happen as either the buffer is
+  // fully read, either enough has been read to reach 'src_last'.
+  // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go
+  // beyond 'src_last' in case the image is cropped and an LZ77 goes further.
+  // The buffer might have been enough or there is some left. 'br->eos_' does
+  // not matter.
+  assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last);
+  if (dec->incremental_ && br->eos_ && src < src_last) {
     RestoreState(dec);
-  } else if (!br->eos_) {
+  } else if ((dec->incremental_ && src >= src_last) || !br->eos_) {
     // Process the remaining rows corresponding to last row-block.
     if (process_func != NULL) {
       process_func(dec, row > last_row ? last_row : row);