Skip to content

webp: Improve valid_file to check the header for magic words#5266

Merged
lgritz merged 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-webpvalid
Jul 1, 2026
Merged

webp: Improve valid_file to check the header for magic words#5266
lgritz merged 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-webpvalid

Conversation

@lgritz

@lgritz lgritz commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

This is MUCH faster than asking libwebp to open the file!

This is MUCH faster than asking libwebp to open the file!

Signed-off-by: Larry Gritz <lg@larrygritz.com>
@jessey-git

jessey-git commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Here we are giving a 64byte header to WebpGetInfo to parse through. Is that so much slower than doing a 12byte read here? Is WebP going off the rails validating that 64bytes?

@lgritz

lgritz commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator Author

I found at least some cases where this kept webp from going off the rails.

@jessey-git jessey-git left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like an issue that would be interesting to file against libwebp. Extreme resource usage for small inputs can be classified as a security issue sometimes. But I also can't look that closely right now either. So this change is fine, just a little unfortunate we can't use someone else's code to validate.

@lgritz lgritz merged commit 30cb21a into AcademySoftwareFoundation:main Jul 1, 2026
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants