[CP-stable]Fix a potential buffer overflow in the animated PNG decoder when parsing malformed fdAT chunks#188038
Conversation
…ing malformed fdAT chunks (flutter#186700) An fdAT (frame data) chunk in an APNG should contain a sequence number followed by image data. The APNG decoder needs to reject invalid fdAT chunks that do not have the expected contents. Based on flutter#184301 and flutter#183180 Fixes flutter#183179 --------- Co-authored-by: 1seal <security@1seal.org> Co-authored-by: mohammadmseet-hue <mohammadmseet@gmail.com>
|
@jason-simmons please fill out the PR description above, afterwards the release team will review this request. |
|
This pull request was opened from and to a release candidate branch. This should only be done as part of the official Flutter release process. If you are attempting to make a regular contribution to the Flutter project, please close this PR and follow the instructions at Tree Hygiene for detailed instructions on contributing to Flutter. Reviewers: Use caution before merging pull requests to release branches. Ensure the proper procedure has been followed. |
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
There was a problem hiding this comment.
Code Review
This pull request introduces bounds checks in the APNG image generator to prevent potential integer underflows and crashes when parsing malformed APNG chunks (such as acTL, fcTL, and fdAT chunks with insufficient data length). It also extracts a CRC32 helper function and adds a new unit test suite to verify these safety checks. The review feedback suggests explicitly including missing headers ( and "flutter/fml/logging.h") and sorting the include directives alphabetically in the new unit test file to comply with the Google C++ Style Guide.
|
Looks like the cla check is still failing |
|
Hi @1seal due to (what seems to be a github) limitation, the Could you visit the cla check page and add that email to your existing CLA? It should work retroactively so the comment doesn't have to be changed. |
|
hi @LongCatIsLooong, signed, but it seems that for some reason it still has failed status still |
Thanks! Yeah I reran the check it still says |
|
@LongCatIsLooong there is bug, it says: "It looks like you've already signed this CLA" |
a4ce257
into
flutter:flutter-3.44-candidate.0
Looks like it's fixed! Merging now. Thanks for the help! |
Issue Link:
#183179
Impact Description:
Potential crash when rendering animated PNG images.
Changelog Description:
Fixes an issue that can cause crashes when rendering animated PNG images.
Workaround:
Is there a workaround for this issue?
No
Risk:
What is the risk level of this cherry-pick?
Test Coverage:
Are you confident that your fix is well-tested by automated tests?
Validation Steps:
Run the unit tests (
./ui_unittests --gtest_filter=APNGImageGeneratorTest.*)