From 23ce1f641cd7ade757b4f5ae5efaaf6d9ac7285b Mon Sep 17 00:00:00 2001
From: Nico Weber <thakis@chromium.org>
Date: Sat, 6 May 2023 06:01:58 -0400
Subject: [PATCH] LibGfx/WebP: Check that animation frame dimensions are in
 bounds

---
 Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp
index 4028f0fb30..7a25dd6234 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/WebPLoader.cpp
@@ -1387,6 +1387,13 @@ static ErrorOr<ANMFChunk> decode_webp_chunk_ANMF(WebPLoadingContext& context, Ch
     dbgln_if(WEBP_DEBUG, "frame_x {} frame_y {} frame_width {} frame_height {} frame_duration {} blending_method {} disposal_method {}",
         frame_x, frame_y, frame_width, frame_height, frame_duration, (int)blending_method, (int)disposal_method);
 
+    // https://developers.google.com/speed/webp/docs/riff_container#assembling_the_canvas_from_frames
+    // "assert VP8X.canvasWidth >= frame_right
+    //  assert VP8X.canvasHeight >= frame_bottom"
+    VERIFY(context.first_chunk->type == FourCC("VP8X"));
+    if (frame_x + frame_width > context.vp8x_header.width || frame_y + frame_height > context.vp8x_header.height)
+        return context.error("WebPImageDecoderPlugin: ANMF dimensions out of bounds");
+
     return ANMFChunk { frame_x, frame_y, frame_width, frame_height, frame_duration, blending_method, disposal_method, frame_data };
 }