Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec

[Vincent Rabaud <vrabaud () google com>]

Hi, we have commented on that here:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62136#c7

On Fri, Sep 22, 2023 at 12:54 PM Solar Designer <solar () openwall com> wrote:

> On Fri, Sep 22, 2023 at 07:28:17AM +0200, Hanno B??ck wrote:
> > On Thu, 21 Sep 2023 22:52:50 +0200 Solar Designer <solar () openwall com>
> wrote:
> > > However, another maybe-important one also made it into 1.3.2:
> > >
> > > commit 95ea5226c870449522240ccff26f0b006037c520
> > > Author: Vincent Rabaud <vrabaud () google com>
> > > Date:   Mon Sep 11 16:06:08 2023 +0200
> > >
> > >     Fix invalid incremental decoding check.
> >
> > It does not look to me that this fix is in 1.3.2:
> > https://github.com/webmproject/libwebp/commits/v1.3.2
> >
> > I've seen this commit as well and have been wondering for a few days if
> > we'll hear about abother libwebp issue soon.
>
> Oh, you're correct - this commit is _not_ in 1.3.2.
>
> I was looking at the main branch and wrongly assumed that all I see in
> there before:
>
> commit ca332209cb5567c9b249c86788cb2dbf8847e760 (tag: v1.3.2, origin/1.3.2)
>
> is in 1.3.2.  However, that commit tagged 1.3.2 got into main as part of
> a merge commit, by which point main already had other commits including
> 95ea5226c870449522240ccff26f0b006037c520 that were not in 1.3.2 branch/tag.
>
> So there may be 1 to 3 commits fixing more security issues after 1.3.2.
>
> Thank you for correcting me!
>
> Alexander