engine apng: fdAT data_length underflow -> oversized memcpy length

[1seal]

this looks like a small bounds/validation gap in the engine apng demux path.

summary

• location: lib/ui/painting/image_generator_apng.cc (APNGImageGenerator::DemuxNextImage)
• issue: fdAT chunk data_length is treated as (data_length - 4) for the rewritten idat payload (sequence_number minimum is 4). if data_length < 4, the subtraction underflows and the result is used as the memcpy length.
• fix: reject fdAT chunks with data_length < 4 before subtracting/copying.

proposed patch + test

• commit (fork): 1seal/engine@7e44f56
• patch (public gist): https://gist.github.com/1seal/d5856680f768a2110a7453f9540f643a

notes

• i attempted to open a pr against flutter/engine, but the repo is currently archived (read-only), so i’m sharing the patch/commit for maintainers to pick up in the canonical workflow.

[stuartmorgan-g]

• i attempted to open a pr against flutter/engine, but the repo is currently archived (read-only)

As noted in the README there, the code moved to https://github.com/flutter/flutter/tree/master/engine. The way to make a PR for it is to open it against flutter/flutter.

so i’m sharing the patch/commit for maintainers to pick up in the canonical workflow.

We are unable to accept code that does not come in through our PR process.

[1seal]

thanks for the pointer. i’ve opened a pr against flutter/flutter with the fix + regression test: #183180

[mbcorona]

Hi @1seal , routing this to team-engine so they can review the patch

[gaaclarke]

@jtmcdole is this related to some of the apng changes you were looking into?

[jtmcdole]

Yeah, it might be; I'll be taking a look.