flutter · auto-submit · Dec 9, 2024 · Dec 5, 2024 · Dec 6, 2024
diff --git a/lib/ui/fixtures/out_of_bounds.apng b/lib/ui/fixtures/out_of_bounds.apng
diff --git a/lib/ui/fixtures/out_of_bounds_wrapping.apng b/lib/ui/fixtures/out_of_bounds_wrapping.apng
diff --git a/lib/ui/painting/image_decoder_no_gl_unittests.cc b/lib/ui/painting/image_decoder_no_gl_unittests.cc
@@ -187,7 +187,7 @@ TEST(ImageDecoderNoGLTest, ImpellerWideGamutIndexedPng) {
 #endif  // IMPELLER_SUPPORTS_RENDERING
 }
 
-TEST(ImageDecoderNoGLTest, ImepllerUnmultipliedAlphaPng) {
+TEST(ImageDecoderNoGLTest, ImpellerUnmultipliedAlphaPng) {
 #if defined(OS_FUCHSIA)
   GTEST_SKIP() << "Fuchsia can't load the test fixtures.";
 #endif

diff --git a/lib/ui/painting/image_generator_apng.cc b/lib/ui/painting/image_generator_apng.cc
@@ -110,6 +110,28 @@ bool APNGImageGenerator::GetPixels(const SkImageInfo& info,
                     << ") of APNG due to the frame missing data (frame_info).";
     return false;
   }
+  if (
+      // Check for unsigned integer wrapping for
+      // frame.{x|y}_offset + frame_info.{width|height}().
+      frame.x_offset >
+          std::numeric_limits<uint32_t>::max() - frame_info.width() ||
+      frame.y_offset >
+          std::numeric_limits<uint32_t>::max() - frame_info.height() ||
+
+      frame.x_offset + frame_info.width() >
+          static_cast<unsigned int>(info.width()) ||
+      frame.y_offset + frame_info.height() >
+          static_cast<unsigned int>(info.height())) {
+    FML_DLOG(ERROR)
+        << "Decoded image at index " << image_index
+        << " (frame index: " << frame_index
+        << ") rejected because the destination region (x: " << frame.x_offset
+        << ", y: " << frame.y_offset << ", width: " << frame_info.width()
+        << ", height: " << frame_info.height()
+        << ") is not entirely within the destination surface (width: "
+        << info.width() << ", height: " << info.height() << ").";
+    return false;
+  }
 
   //----------------------------------------------------------------------------
   /// 3. Composite the frame onto the canvas.
@@ -630,7 +652,19 @@ uint32_t APNGImageGenerator::ChunkHeader::ComputeChunkCrc32() {
 bool APNGImageGenerator::RenderDefaultImage(const SkImageInfo& info,
                                             void* pixels,
                                             size_t row_bytes) {
-  SkCodec::Result result = images_[0].codec->getPixels(info, pixels, row_bytes);
+  APNGImage& frame = images_[0];
+  SkImageInfo frame_info = frame.codec->getInfo();
+  if (frame_info.width() > info.width() ||
+      frame_info.height() > info.height()) {
+    FML_DLOG(ERROR)
+        << "Default image rejected because the destination region (width: "
+        << frame_info.width() << ", height: " << frame_info.height()
+        << ") is not entirely within the destination surface (width: "
+        << info.width() << ", height: " << info.height() << ").";
+    return false;
+  }
+
+  SkCodec::Result result = frame.codec->getPixels(info, pixels, row_bytes);
   if (result != SkCodec::kSuccess) {
     FML_DLOG(ERROR) << "Failed to decode the APNG's default/fallback image. "
                        "SkCodec::Result: "

diff --git a/testing/dart/codec_test.dart b/testing/dart/codec_test.dart
@@ -252,6 +252,46 @@ void main() {
     imageData = (await image.toByteData())!;
     expect(imageData.getUint32(imageData.lengthInBytes - 4), 0x00000000);
   });
+
+  test(
+      'Animated apng frame decode does not crash with invalid destination region',
+      () async {
+    final Uint8List data = File(
+      path.join('flutter', 'lib', 'ui', 'fixtures', 'out_of_bounds.apng'),
+    ).readAsBytesSync();
+
+    final ui.Codec codec = await ui.instantiateImageCodec(data);
+    try {
+      await codec.getNextFrame();
+      fail('exception not thrown');
+    } on Exception catch (e) {
+      if (impellerEnabled) {
+        expect(e.toString(), contains('Could not decompress image.'));
+      } else {
+        expect(e.toString(), contains('Codec failed'));
+      }
+    }
+  });
+
+  test(
+      'Animated apng frame decode does not crash with invalid destination region and bounds wrapping',
+      () async {
+    final Uint8List data = File(
+      path.join('flutter', 'lib', 'ui', 'fixtures', 'out_of_bounds_wrapping.apng'),
+    ).readAsBytesSync();
+
+    final ui.Codec codec = await ui.instantiateImageCodec(data);
+    try {
+      await codec.getNextFrame();
+      fail('exception not thrown');
+    } on Exception catch (e) {
+      if (impellerEnabled) {
+        expect(e.toString(), contains('Could not decompress image.'));
+      } else {
+        expect(e.toString(), contains('Codec failed'));
+      }
+    }
+  });
 }
 
 /// Returns a File handle to a file in the skia/resources directory.