A rather complex-bug to trigger that was found being exploited in the wild against libwebp’s VP8L compression and was reachable through an iMessage.

There is a fair degree of complexity when it comes to reaching the bug, but it can be summed up decent: The application allocates a buffer it believes will hold a maximum sized Huffman table. It then decoded the data into the huffman table segments producing five huffman table segments (each segment is a huffman table in the traditional sense, but WebP here treated the whole group as a Huffman Table).

The problem is that even through there is a consistency check at the end of building the table to ensure it produced the right number of nodes that will end processing of the file. This check happens after the data has already been written into the Huffman Table segments and too late to stop any malformed table from causing an overflow and out-of-bounds write as those writes happen during the decoding process before the check.

In order to actually trigger this vulnerability the author had to first provide four maximally sized table segments to push the code as far into the allocated buffer as possible, and then the final, and smallest huffman table of the bunch could be malformed with extra nodes allowing it to overflow.

Definitely tricky to reach and as the author notes, even though the vulnerable code was well covered by fuzzing, it would be somewhat hard but not impossible for a fuzzer to fulfill these conditions and trigger the bug.