ALAS2-2023-2291 --- thunderbirdID: oval:org.secpod.oval:def:1701876 | Date: (C)2023-11-24 (M)2024-02-19 |
Class: PATCH | Family: unix |
Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap.The ReadHuffmanCodes function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use.The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table lookups. libwebp allows codes that are up to 15-bit . When BuildHuffmanTable attempts to fill the second-level tables it may write data out-of-bounds. The OOB write to the undersized array happens in ReplicateValue