Merge pull request #1563 from 5225225/add-overflow-webp

webp: Do not panic on overflow if size is maximum

src/codecs/webp/decoder.rs

@@ -106,13 +106,17 @@ impl<R: Read> WebPDecoder<R> {
                     )));
                 }
                 _ => {
-                    let mut len = self.r.read_u32::<LittleEndian>()?;
+                    let mut len = u64::from(self.r.read_u32::<LittleEndian>()?);
+
                     if len % 2 != 0 {
                         // RIFF chunks containing an uneven number of bytes append
                         // an extra 0x00 at the end of the chunk
+                        //
+                        // The addition cannot overflow since we have a u64 that was created from a u32
                         len += 1;
                     }
-                    io::copy(&mut self.r.by_ref().take(len as u64), &mut io::sink())?;
+
+                    io::copy(&mut self.r.by_ref().take(len), &mut io::sink())?;
                 }
             }
         }
@@ -183,3 +187,23 @@ impl<'a, R: 'a + Read> ImageDecoder<'a> for WebPDecoder<R> {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn add_with_overflow_size() {
+        let bytes = vec![0x52, 0x49, 0x46, 0x46, 0xaf, 0x37, 0x80, 0x47, 0x57, 0x45, 0x42, 0x50,
+                        0x6c, 0x64, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xfb, 0x7e, 0x73, 0x00,
+                        0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
+                        0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x40, 0xfb, 0xff, 0xff, 0x65, 0x65,
+                        0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x00, 0x00, 0x00,
+                        0x62, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x49, 0x54,
+                        0x55, 0x50, 0x4c, 0x54, 0x59, 0x50, 0x45, 0x33, 0x37, 0x44, 0x4d, 0x46];
+
+        let data = std::io::Cursor::new(bytes);
+
+        let _ = WebPDecoder::new(data);
+    }
+}