| Titel | MrNanko(dev.matrixlab:webp4j) webp4j <= 1.4.0 Integer Overflow to Buffer Overflow |
|---|
| Beschreibung | The webp4j library (a JNI-based Java library for WebP encoding/decoding and GIF-to-WebP conversion) contains multiple integer overflow vulnerabilities in its GIF decoder. The vulnerable code is in src/main/c/gif_decoder.c, where canvas size calculations use 32-bit signed integers without proper overflow checking.
The vulnerability exists in multiple locations in `src/main/c/gif_decoder.c`:
1. **Line 153-155**: Canvas size calculation
```c
int canvas_size = result->canvas_width * result->canvas_height * 4;
uint8_t* canvas = (uint8_t*)malloc(canvas_size);
uint8_t* prev_canvas = (uint8_t*)malloc(canvas_size);
```
2. **Line 239**: Raster size calculation
```c
int raster_size = gif->Image.Width * gif->Image.Height;
uint8_t* raster = (uint8_t*)malloc(raster_size);
```
3. **Line 67-79 (ClearCanvas)**: Loop bounds
```c
for (int i = 0; i < width * height; i++) {
canvas[i * 4 + 0] = r; // OOB write
}
```
The `canvas_width` and `canvas_height` values come directly from the GIF file's Logical Screen Descriptor (attacker-controlled 16-bit values, max 65535). When calculating `width * height * 4`, integer overflow occurs.
For example, with dimensions 46341x46341:
- 64-bit calculation: 46341 * 46341 * 4 = 8,589,953,124 bytes (8.5GB)
- 32-bit signed result: 18,532 bytes (OVERFLOW!)
- malloc(18532) succeeds
- ClearCanvas writes 8.5GB into 18KB buffer → **Heap Overflow**
|
|---|
| Quelle | ⚠️ https://github.com/MrNanko/webp4j/issues/6 |
|---|
| Benutzer | sp1d3r (UID 77907) |
|---|
| Einreichung | 23.02.2026 19:23 (vor 1 Monat) |
|---|
| Moderieren | 07.03.2026 10:09 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 349653 [MrNanko webp4j bis 1.3.x src/main/c/gif_decoder.c DecodeGifFromMemory canvas_height Pufferüberlauf] |
|---|
| Punkte | 20 |
|---|