From 74b50c046bb30f7c75ccbee9fa8afd37b1914859 Mon Sep 17 00:00:00 2001
From: Nico Weber <thakis@chromium.org>
Date: Mon, 29 May 2023 15:10:02 -0400
Subject: [PATCH] WebP/Lossy: Check that file contains enough data for first
 partition

---
 Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp b/Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp
index 3f1243ab86..e4d7f2ee02 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/WebPLoaderLossy.cpp
@@ -98,6 +98,9 @@ ErrorOr<VP8Header> decode_webp_chunk_VP8_header(ReadonlyBytes vp8_data)
     dbgln_if(WEBP_DEBUG, "version {}, show_frame {}, size_of_first_partition {}, width {}, horizontal_scale {}, height {}, vertical_scale {}",
         version, show_frame, size_of_first_partition, width, horizontal_scale, height, vertical_scale);
 
+    if (vp8_data.size() < 10 + size_of_first_partition)
+        return Error::from_string_literal("WebPImageDecoderPlugin: 'VP8 ' chunk too small for full first partition");
+
     return VP8Header { version, show_frame, size_of_first_partition, width, horizontal_scale, height, vertical_scale, vp8_data.slice(10, size_of_first_partition), vp8_data.slice(10 + size_of_first_partition) };
 }