Skip to content

engine apng: reject short fdAT chunk lengths#183180

Closed
1seal wants to merge 2 commits into
flutter:masterfrom
1seal:codex/apng-fdat-len-check
Closed

engine apng: reject short fdAT chunk lengths#183180
1seal wants to merge 2 commits into
flutter:masterfrom
1seal:codex/apng-fdat-len-check

Conversation

@1seal

@1seal 1seal commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

fixes an apng demux edge case in engine: fdAT chunks with data_length < 4 (sequence_number minimum) previously underflowed (data_length - 4) and that value was used as the memcpy length during fdAT->IDAT rewrite.

changes:

  • reject fdAT chunks with data_length < 4 in APNGImageGenerator::DemuxNextImage
  • add a ui_unittests regression test + minimal fixtures (len0 rejected, len4 accepted)

issue: #183179

@1seal 1seal mentioned this pull request Mar 3, 2026
Closed
@github-actions github-actions Bot added the engine flutter/engine related. See also e: labels. label Mar 3, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Mar 3, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request modifies the APNG image decoding logic to handle fdAT chunks with short data lengths. In APNGImageGenerator::DemuxNextImage, a check is added to ensure the data_length of an fdAT chunk is at least 4 bytes. If the length is less than 4, the function now returns an error, preventing a potential integer underflow and subsequent buffer overflow in memcpy. A new test file, image_generator_apng_unittests.cc, is added with two tests: one that verifies that an APNG with an fdAT chunk of length 0 is rejected, and another that confirms an APNG with an fdAT chunk of length 4 is accepted. The BUILD.gn file is updated to include the new test file and its associated image fixtures.

@gaaclarke gaaclarke requested a review from jtmcdole March 9, 2026 18:04
@gaaclarke

gaaclarke commented Mar 9, 2026

Copy link
Copy Markdown
Member

hey @1seal you can run ./bin/et format to fix the formatting. It looks like that is at least some of your ci problems.

@flutter-dashboard

flutter-dashboard Bot commented Mar 30, 2026

Copy link
Copy Markdown

This pull request executed golden file tests, but it has not been updated in a while (20+ days). Test results from Gold expire after as many days, so this pull request will need to be updated with a fresh commit in order to get results from Gold.

For more guidance, visit Writing a golden file test for package:flutter.

Reviewers: Read the Tree Hygiene page and make sure this patch meets those guidelines before LGTMing.

1seal added 2 commits March 30, 2026 20:18
@1seal
engine apng: reject short fdAT chunk lengths
70501d9 
guard against fdAT data_length < 4 underflow in APNGImageGenerator::DemuxNextImage and add a ui_unittests regression test + minimal fixtures.
@1seal
engine apng: use valid APNG positive control
f6538cb
@1seal 1seal force-pushed the codex/apng-fdat-len-check branch from cbc9966 to f6538cb Compare March 30, 2026 17:25
@1seal

1seal commented Mar 30, 2026

Copy link
Copy Markdown
Contributor Author

rebased and fixed the failing positive control test. apng_fdat_len4.apng was boundary-safe for the underflow check, but not a valid APNG acceptance fixture on current master, so ui_unittests failed. switched to a valid fdAT APNG and re-triggered CI.

@mohammadmseet-hue mohammadmseet-hue mentioned this pull request Mar 31, 2026
Closed
@jason-simmons jason-simmons mentioned this pull request May 18, 2026
Merged
gaaclarke pushed a commit to gaaclarke/flutter that referenced this pull request May 21, 2026
@jason-simmons @1seal @mohammadmseet-hue
Fix a potential buffer overflow in the animated PNG decoder when pars…
9cf97ce 
…ing malformed fdAT chunks (flutter#186700)

An fdAT (frame data) chunk in an APNG should contain a sequence number
followed by image data.  The APNG decoder needs to reject invalid fdAT
chunks that do not have the expected contents.

Based on flutter#184301 and
flutter#183180

Fixes flutter#183179

---------

Co-authored-by: 1seal <security@1seal.org>
Co-authored-by: mohammadmseet-hue <mohammadmseet@gmail.com>
@jason-simmons

jason-simmons commented May 21, 2026

Copy link
Copy Markdown
Member

Thank you for your contribution, and sorry for taking so long to respond.

I've landed a different version of the fix for this issue: #186700

@LongCatIsLooong LongCatIsLooong mentioned this pull request Jun 17, 2026
Closed
10 tasks
via-guy pushed a commit to via-guy/flutter that referenced this pull request Jun 26, 2026
@jason-simmons @1seal
@mohammadmseet-hue @via-guy
Fix a potential buffer overflow in the animated PNG decoder when pars…
b797328 
…ing malformed fdAT chunks (flutter#186700)

An fdAT (frame data) chunk in an APNG should contain a sequence number
followed by image data.  The APNG decoder needs to reject invalid fdAT
chunks that do not have the expected contents.

Based on flutter#184301 and
flutter#183180

Fixes flutter#183179

---------

Co-authored-by: 1seal <security@1seal.org>
Co-authored-by: mohammadmseet-hue <mohammadmseet@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jtmcdole jtmcdole Awaiting requested review from jtmcdole
1 more reviewer
@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

engine flutter/engine related. See also e: labels.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@1seal @gaaclarke @jason-simmons