More careful handling in APNG decoder (for APNG) (#3697)

(cherry picked from commit 58ce689b89b80a2502618299ceee49e580be0e54)
google · Dec 5, 2024 · dc31aeb · dc31aeb
1 parent 7ea4104
commit dc31aeb
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/third_party/apngdis/dec.cc b/third_party/apngdis/dec.cc
@@ -52,6 +52,7 @@
 #include "lib/base/compiler_specific.h"
 #include "lib/base/printf_macros.h"
 #include "lib/base/rect.h"
+#include "lib/base/sanitizers.h"
 #include "lib/base/span.h"
 #include "lib/base/status.h"
 #include "lib/extras/codestream_header.h"
@@ -623,13 +624,15 @@ struct Context {
     png_process_data(png_ptr, info_ptr, const_cast<uint8_t*>(kFooter.data()),
                      kFooter.size());
     // before destroying: check if we encountered any metadata chunks
-    png_textp text_ptr;
-    int num_text;
-    png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
-    for (int i = 0; i < num_text; i++) {
-      Status result = DecodeBlob(text_ptr[i], metadata);
-      // Ignore unknown / malformed blob.
-      (void)result;
+    png_textp text_ptr = nullptr;
+    int num_text = 0;
+    if (png_get_text(png_ptr, info_ptr, &text_ptr, &num_text) != 0) {
+      msan::UnpoisonMemory(text_ptr, sizeof(png_text_struct) * num_text);
+      for (int i = 0; i < num_text; i++) {
+        Status result = DecodeBlob(text_ptr[i], metadata);
+        // Ignore unknown / malformed blob.
+        (void)result;
+      }
     }
 
     return true;