Silver rule: Never trust C code. Firefox has a sandbox mechanism where it compiles libraries to wasm and then back to C, but I guess they hadn't gotten around to doing that for libwebp yet.

My thoughts exactly. I consider it common knowledge, at least to anyone worthy calling themselves professionals, that any externally provided data to any system should be checked and sanitized. There just exists no excuse for omitting that. Even less for a prolific image compression library like this one. If this vulnerability really turns out to be about completely missing sanitation of the compressed image data, then it begs the question how/why this code was ever accepted to run practically everywhere (at least on the internet). If Google is the producer of this library, they should be deeply ashamed. Potentially even be held liable, by such a blatant transgression of a fundamental software engineering rule. While the bug itself might be interesting from a technical perspective, and illustrative of how dangerous unguarded edge conditions can be, omission of input sanitation is far from that. That is just unbelievably stupid, if not outright culpable negligence. I hardly can believe that a company like Google would produce code like that, especially not for a library that is used almost anywhere were modern image formats are processed. I am still hoping I'm just getting this all wrong. I'll happily retract all I just wrote and put an official apology up here instead (if I got it all wrong). However, if it does turn out that this library did not do any input sanitation of the compressed image data, then the producers of this library (I presume the fine folks at Google) have some serious explaining to do!

@@elmo2you "Culpable negligence" LOL, is it not negligence to use other people's code without understanding it fully :)

​@@sheesh236 Actually in the law it could be. THIS SOFTWARE IS PROVIDED WITHOUT WARRANTY, EVEN MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE

Yeah that's what I thought as well, it's actually surprising it took so long and was still a zero-day...

Exactly this came to my mind seeing the chrome cve back then. I realised my information theory professor really taught something useful lol.

Huffman coding is great! It's being replaced by arithmetic coding and asymmetrical number systems for entropy coding gains in newer codecs, but with diminishing returns :)

​@@emblemi6345 why did you go to info theory without interest in it

Amazing book, filters me hard!

buffer overflow!

He misspoke. The correct number 256 was still written on the screen (“This table always holds 256 possible Symbols”).

There is a simple and common way to avoid this kind of problem. Any time a pointer is passed for data to be written to, always pass the maximum number of bytes that can be written and the function never writes more than that (or pass a buffer end pointer, same basic effect). Not doing that shows a serious lack of discipline on the part of the programmer(s).

my thoughts as well, first thing id think of when it comes to the wallet feature.

I recommend reading "Advanced Fuzzing Unmasks Elusive Vulnerabilities" post by Marc Heuse of Security Research Labs. It goes in depth about the possibility of finding vulnerabilities with advanced fuzzing techniques and whether those techniques could've surfaced this specific vulnerability in libwebp earlier.

The fuzzer would eventually enter the correct inputs to trigger this, but it might take forever! In theory no exploit is elusive to a fuzzer if it can be triggered by a user, but we don't have infinite time or computing power

If someone was asked to read through the code and check for buffer vulnerabilities I bet they would have found it within a few hours. Obviously nobody performed a security audit on the code (or they were incompetent). This might be a good application for an AI.

@@hung8969 It’s probably too complex of a chain to easily fuzz start to finish. You might as well put the effort into fuzzing the webp library directly.

What you're saying is HERESY... "abandoning" the format is simply impossible (the cat is already out of the bag), so any security hole must be fixed ASAP. If you still think that "abandoning" the format is possible, go convince a few million people to up and take down every last .WEBP file out there!!!

My hot take: Programmers who don't know assembly have no business writing C

Damn script kiddies.

@@Nunya58294 I mean for the knowledge part, not for the scripting thing. Also, at some part people needs to start.

@@Nunya58294 bro be saying this and acting like he wasn't a skid at some point

good question ;) and it's almost philosophical. The image is not turned into a nonsensical array. There exists no image yet. If you see an image, it means that the bits and bytes were already interpreted and rendered! The vulnerability (and the nonsensical array) happen during the interpretation of the invalid bits and bytes.

The image doesn't need to have been created with the official WebP library, that will always generate valid results. One could write their own code to create an invalid image: a file that purports to be WebP but that doesn't follow the specification or doesn't match expectations in some way. Or they could open a valid image in a hex editor to directly edit its bytes, changing it to be invalid.

You can manually craft a file consisting of carefully picked bits that cause the decompression algorithm to generate an invalid huffman table. Then name the file with webp file type and send it to someone.

There are only two possible codes of length 1 - 0 or 1. So you cant assign 4 symbols with a code of length 1, only 2 symbols at most.

Game Boy: "F that, I'll just run out of battery without warning"

@@williamdrum9899 lol reminds me chinese phone that has fluctuating battery percentage

Simple answer, there were other exploits to escape ;) To remotely hack a phone you have to chain multiple security vulnerabilities to exploit each step. That's why they are so rare and special.

Thanks for clarification!

it's fixed

these are ex-8200 rather notoriously known and the unit is not associated with them at all, to the point of vilifying them and calling them hired guns

@@alonzy989 Talpiot Program is an offshoot of 8200 for the most successful red-teamers lol, it’s a promotion for them. 8200 operatives do not vilify Talpiot operations, they aspire to be recruited to them.

While I am normally a rust shill, keep in mind _why_ this complex allocation was done: cache locality. You could not reasonably do this in rust. I would personally prefer safety over speed though, so I'd still say rust would be a good option if this was my personal project.

This specific problem is not something Rust would nor could have prevented-this is a programmer error by not validating the source input (i.e. file). The buffer could be overflowed by crafting an image file that caused the Huffman table construction to exceed the pre-calculated buffer size. So it would've been outside any compiler's knowledge. What could potentially have caught it would have been using advanced fuzzing techniques. However, fuzzing is not a silver bullet, and this vulnerability was not caught by Google's OSS-Fuzz project. It's possible that fuzzing alone wouldn't have been enough to catch this vulnerability at all.

@@dealloc > so it would've been outside of any compiler's knowledge In other words, the compiler would insert a bounds check here and prevent the bug...

​@@MrFram The vulnerability was introduced when applying a common optimization used in Huffman decoders; The decoder was optimized by pre-reading N bits to determine how many to consume and which symbol to decode. Longer symbols previously required graph traversal but were improved using an array of lookup tables. The new tables store (nbits, value) pairs; if nbits exceeds N, it's a table index, enabling efficient decoding. However, a bug emerged during table construction, risking overflow due to unanticipated table sizes. Rust's safety mechanisms might not have caught this because while it's unsuitable for unsafe code in table construction, the lookup phase often requires unsafe operations for performance. Even tools like "enough" in zlib, as explained in this video, predict table sizes under specific constraints, but when those constraints aren't met, Rust's safety wouldn't prevent a wrong table construction, potentially leading to security issues.

@@dealloc stop using chatgpt and actually think about what you just wrote. > it's unsuitable for unsafe code in table construction, the lookup requires unsafe operations for performance So table construction can be done using safe code, and only the decoding lookup has to use unsafe

Did you even watch the video? Smh

@@geckwwo i did

@@hyronharrison8127 "iOS is more secure" secure or not, a bug still exists (existed). And I'd argue that iOS is more secure - yeah, Apple does a great job of serving updates even to old devices, but Google does the same for Android, even on other manufacturers' devices (via Google Play security updates). Disallowed sideloading on iOS is more of an obstacle than a feature. (and APK sideloading is disabled on Android by default, which is the only correct way for both security and freedom)

@@geckwwonot to mention this isn’t Apple’s fault since it’s Google format and google responsibility so Apple was just better and fixed it without knowing it was a webp thing

But vuln is fixed now

@@LiveOverflow Still don't trust it 🧐

my credentials: liveoveflow@gmail.com:stfu70053r

you are the actual first!

@@ItIsJan I’m a pro speedrunner now lol

Your mom’s first

@@Wierie_ HAHAHAHA what a creative joke, you’re hilarious

What about Chrome?

They literally said Android, Linux and windows as well