Add dimension limit for alpha chunks

Question

Add dimension limit for alpha chunks

Opened this issue a year ago · 0 comments

The VP8X chunk allows specifying ridiculously large canvas dimensions up to 2^24 x 2^24, which end up being used for ALPH chunk bitstreams. This can be a DoS vector. It's unclear whether there's a valid WebP with such large dimensions, as both the VP8 and VP8L bitstreams only allow dimensions up to 2^12 x 2^12. In other words, a larger ALPH would be rejected later anyway in parsing for mismatching dimensions with the VP8/VP8L appearing later.