In the APNG decoder, validate the chunk data length before calling GetChunkSize to avoid potential overflow in the chunk size calculation#187949
Merged
Conversation
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Member
Author
|
/gemini review |
Contributor
There was a problem hiding this comment.
Code Review
This pull request enhances bounds checking in APNGImageGenerator::IsValidChunkHeader to prevent potential integer overflows and out-of-bounds reads when parsing APNG chunks. Additionally, it introduces a unit test and a helper function to verify that malformed chunks with mismatched declared lengths are correctly rejected. There are no review comments, and I have no feedback to provide.
5 tasks
Contributor
|
Thanks for picking this up, @jason-simmons! Validating the data length in IsValidChunkHeader before it reaches GetChunkSize is a cleaner approach than what I had in #187701. LGTM. Happy to close my PR once this lands. |
…andardCodecSerializer Add overflow detection in GetChunkSize to prevent size_t wrap on 32-bit platforms. Add remaining-bytes validation in StandardCodecSerializer before string/vector/list/map allocations to reject malformed messages early.
…he risk of overflow in the chunk size calculation
9634e01 to
aeee391
Compare
auto-submit Bot
pushed a commit
to flutter/packages
that referenced
this pull request
Jun 15, 2026
Roll Flutter from b7cb925419e6 to 5827d5fd2b8d (35 revisions) flutter/flutter@b7cb925...5827d5f 2026-06-15 engine-flutter-autoroll@skia.org Roll Skia from 7128af60575a to c8d9f80f13e4 (1 revision) (flutter/flutter#188015) 2026-06-15 jason-simmons@users.noreply.github.com In the APNG decoder, validate the chunk data length before calling GetChunkSize to avoid potential overflow in the chunk size calculation (flutter/flutter#187949) 2026-06-15 engine-flutter-autoroll@skia.org Roll Skia from 6b4ac3bfb39d to 7128af60575a (1 revision) (flutter/flutter#188011) 2026-06-15 engine-flutter-autoroll@skia.org Roll Skia from 0a3b8549cbf0 to 6b4ac3bfb39d (7 revisions) (flutter/flutter#188007) 2026-06-15 98614782+auto-submit[bot]@users.noreply.github.com Reverts "[a11y] Map some framework semantics roles to android classes. (#185217)" (flutter/flutter#188008) 2026-06-15 chris@bracken.jp [ios] Filter UIScene events to those relating to Flutter VC scene (flutter/flutter#187987) 2026-06-15 jhy03261997@gmail.com [a11y] Map some framework semantics roles to android classes. (flutter/flutter#185217) 2026-06-15 engine-flutter-autoroll@skia.org Roll Skia from f46928e7f50c to 0a3b8549cbf0 (1 revision) (flutter/flutter#188004) 2026-06-14 stuartmorgan@google.com Rework docs for flutter/packages changelogs (flutter/flutter#187666) 2026-06-14 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from nvzMQAmuRSzo7-wAP... to TbB86Po_HDe1dvXvT... (flutter/flutter#187997) 2026-06-14 engine-flutter-autoroll@skia.org Roll Skia from 4e2c9b5e4dad to f46928e7f50c (1 revision) (flutter/flutter#187996) 2026-06-14 engine-flutter-autoroll@skia.org Roll Skia from c52667607242 to 4e2c9b5e4dad (1 revision) (flutter/flutter#187990) 2026-06-14 737941+loic-sharma@users.noreply.github.com Improve RenderTargetCache docs (flutter/flutter#187893) 2026-06-13 brackenavaron@gmail.com [Test cross_imports] Check cross imports in flutter_test/** (flutter/flutter#187587) 2026-06-13 matt.kosarek@canonical.com Fixing corrupted window size OnEmptyFrameGenerated due to transpsed width/height (flutter/flutter#187954) 2026-06-13 engine-flutter-autoroll@skia.org Roll Skia from 42355271a335 to c52667607242 (2 revisions) (flutter/flutter#187979) 2026-06-13 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from A3eaUn9mQ_EkSNxVI... to nvzMQAmuRSzo7-wAP... (flutter/flutter#187975) 2026-06-13 engine-flutter-autoroll@skia.org Roll Skia from 9ef46390c2d1 to 42355271a335 (1 revision) (flutter/flutter#187974) 2026-06-13 bdero@google.com [Flutter GPU] Make ShaderLibrary.fromAsset asynchronous (flutter/flutter#187716) 2026-06-13 engine-flutter-autoroll@skia.org Roll Skia from 8c89bf2b0ee3 to 9ef46390c2d1 (6 revisions) (flutter/flutter#187968) 2026-06-12 bdero@google.com [Flutter GPU] Add surface API for framework presentation (flutter/flutter#187358) 2026-06-12 bkonyi@google.com [gen_l10n] Exclude inherited keys from untranslated-messages-file (flutter/flutter#187950) 2026-06-12 31859944+LongCatIsLooong@users.noreply.github.com Update `MediaQueryData` docs for devicePixelRatio overriding (flutter/flutter#187542) 2026-06-12 bdero@google.com [Impeller] Fix dirty-range race in DeviceBufferGLES uploads (flutter/flutter#187932) 2026-06-12 pascal@phntm.xyz Compare isModifiedAfter against the given time (flutter/flutter#187727) 2026-06-12 planetmarshall@users.noreply.github.com Enable unit tests for compilation of compute shaders on non-metal backends (flutter/flutter#179683) 2026-06-12 matt.boetger@gmail.com [flutter_tools] Add doctor validator warning for multiple adb installations (flutter/flutter#186031) 2026-06-12 matt.boetger@gmail.com Optimize SHA hash calculation of generated APK (flutter/flutter#187184) 2026-06-12 mu7ammadkamel@hotmail.com Scope widget inspector overlay to the selected widget's modal route (flutter/flutter#186784) 2026-06-12 30870216+gaaclarke@users.noreply.github.com Switches Windows to OpenGLESSDF (flutter/flutter#187877) 2026-06-12 matt.boetger@gmail.com [integration_test] Update README to support modern Kotlin-based setups by default (flutter/flutter#186080) 2026-06-12 jason-simmons@users.noreply.github.com Convert the PNG signature constant in APNGImageGenerator to a std::array and use it in the APNG tests (flutter/flutter#187930) 2026-06-12 matt.boetger@gmail.com Correct backoff retry time cap unit and add regression tests (flutter/flutter#187250) 2026-06-12 chingjun@google.com Fix std::vector out-of-bounds access in Flutter Android JNI and Delegate (flutter/flutter#187218) 2026-06-12 matt.boetger@gmail.com [Android] Adding 30-second timeouts to adb stopApp and uninstallApp (flutter/flutter#187876) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC bmparr@google.com,stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 ...
Contributor
|
How can I get a CVE for this issue? |
via-guy
pushed a commit
to via-guy/flutter
that referenced
this pull request
Jun 26, 2026
…tChunkSize to avoid potential overflow in the chunk size calculation (flutter#187949) Before this PR, APNGImageGenerator::IsValidChunkHeader was calling GetChunkSize to check whether the buffer had sufficient capacity for the chunk. The chunk contains a 32-bit data length field, and GetChunkSize calculates the chunk size as a size_t. If size_t is 32-bit and the chunk data length is malformed, then the calculation could overflow and return an incorrect result. This PR verifies that the chunk's data length fits within the remaining capacity of the buffer before using the length in calculations. See flutter#187701 --------- Co-authored-by: Himanshu Anand <anand.himanshu17@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Before this PR, APNGImageGenerator::IsValidChunkHeader was calling GetChunkSize to check whether the buffer had sufficient capacity for the chunk.
The chunk contains a 32-bit data length field, and GetChunkSize calculates the chunk size as a size_t. If size_t is 32-bit and the chunk data length is malformed, then the calculation could overflow and return an incorrect result.
This PR verifies that the chunk's data length fits within the remaining capacity of the buffer before using the length in calculations.
See #187701