CVE-2023-4863: Heap buffer overflow in WebP (Chrome)

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

CodeRabbit: AI Code Reviews for Developers
Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
coderabbit.ai
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • libwebp

    Mirror only. Please do not send pull requests. See https://chromium.googlesource.com/webm/libwebp/+/HEAD/CONTRIBUTING.md.

    It's 2023, surely this is not yet another bug related to memory unsafety that could be avoided if we'd stop writing critical code that deals with extremely complex untrusted input (media codecs) in memory unsafe languages?

    Yep, of course it is: https://github.com/webmproject/libwebp/commit/902bc919033134...

    I guess libwebp could be excused as it was started when there were no alternatives, but even for new projects today we're still committing the same mistake[1][2][3].

    [1] -- https://code.videolan.org/videolan/dav1d

    [2] -- https://github.com/AOMediaCodec/libavif

    [3] -- https://github.com/AOMediaCodec/libiamf

    Yep. Keep writing these in C; surely nothing will go wrong.

  • CodeRabbit

    CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

    CodeRabbit logo
  • jxl.js

    JPEG XL decoder in JavaScript using WebAssembly (WASM)

  • libavif

    libavif - Library for encoding and decoding .avif files

    It's 2023, surely this is not yet another bug related to memory unsafety that could be avoided if we'd stop writing critical code that deals with extremely complex untrusted input (media codecs) in memory unsafe languages?

    Yep, of course it is: https://github.com/webmproject/libwebp/commit/902bc919033134...

    I guess libwebp could be excused as it was started when there were no alternatives, but even for new projects today we're still committing the same mistake[1][2][3].

    [1] -- https://code.videolan.org/videolan/dav1d

    [2] -- https://github.com/AOMediaCodec/libavif

    [3] -- https://github.com/AOMediaCodec/libiamf

    Yep. Keep writing these in C; surely nothing will go wrong.

  • libiamf

    Reference Software for IAMF

    It's 2023, surely this is not yet another bug related to memory unsafety that could be avoided if we'd stop writing critical code that deals with extremely complex untrusted input (media codecs) in memory unsafe languages?

    Yep, of course it is: https://github.com/webmproject/libwebp/commit/902bc919033134...

    I guess libwebp could be excused as it was started when there were no alternatives, but even for new projects today we're still committing the same mistake[1][2][3].

    [1] -- https://code.videolan.org/videolan/dav1d

    [2] -- https://github.com/AOMediaCodec/libavif

    [3] -- https://github.com/AOMediaCodec/libiamf

    Yep. Keep writing these in C; surely nothing will go wrong.

  • Electron

    :electron: Build cross-platform desktop apps with JavaScript, HTML, and CSS

    It does, see [0]. Fun fact: Signal desktop, which uses Electron under the hood, is running without sandbox on Linux [1][2].

    [0] https://github.com/electron/electron/pull/39824

    [1] https://github.com/signalapp/Signal-Desktop/issues/5195

    [2] https://github.com/signalapp/Signal-Desktop/pull/4381

  • Signal-Desktop

    A private messenger for Windows, macOS, and Linux.

    It does, see [0]. Fun fact: Signal desktop, which uses Electron under the hood, is running without sandbox on Linux [1][2].

    [0] https://github.com/electron/electron/pull/39824

    [1] https://github.com/signalapp/Signal-Desktop/issues/5195

    [2] https://github.com/signalapp/Signal-Desktop/pull/4381

  • l4v

    seL4 specification and proofs

    You can't really retrofit safety to C. The best that can be achieved is sel4, which while it is written in C has a separate proof of its correctness: https://github.com/seL4/l4v

    The proof is much, much more work than the microkernel itself. A proof for something as large as webP might take decades.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • wuffs

    Wrangling Untrusted File Formats Safely

    I agree that Wuffs [1] would have been a very good alternative! If it can be made more generally. AFAIK Wuffs is still very limited, in particular it never allows dynamic allocation. Many formats, including those supported by Wuffs the library, need dynamic allocation, so Wuffs code has to be glued with unverified non-Wuffs code [2]. This only works with simpler formats.

    [1] https://github.com/google/wuffs/blob/main/doc/wuffs-the-lang...

    [2] https://github.com/google/wuffs/blob/main/doc/note/memory-sa...

  • kani

    Kani Rust Verifier

    > those applications need the proof for correctness so that more dangerous code---say, what would need `unsafe` in Rust---can be safely added

    There are actually already tools built for this very purpose in Rust (see Kani [1] for instance).

    Formal verification has a serious scaling problem, so forming programs in such a way that there are a few performance-critical areas that use unsafe routines seems like the best route. I feel like Rust leans into this paradigm with `unsafe` blocks.

    [1] - https://github.com/model-checking/kani

  • BrowserBoxPro

    Discontinued :cyclone: BrowserBox is Web application virtualization via zero trust remote browser isolation and secure document gateway technology. Embed secure unrestricted webviews on any device in a regular webpage. Multiplayer embeddable browsers, open source! [Moved to: https://github.com/BrowserBox/BrowserBox]

    Agree. This is one of the reasons it's better to go with older and more reliable JPEG for viewport streaming. An exploit chain would need to penetrate screen capture images to pass to the client. Browser zero days do occur and this is why it's important to have protection. For added protection consider browser isolation. Check out open source Zero Trust browser isolation at BrowserBox using JPEG (now WebP) now: https://github.com/dosyago/BrowserBoxPro

    Technically, we did try using WebP due to its significant bandwidth gains. However, the compute overhead for encoding versus JPEG introduced unacceptable latency into our streaming pipeline, so for now, we're still against it. Security is an additional mark against the newer standard, as good as it is!

  • image

    Encoding and decoding images in Rust (by image-rs)

    FTR there is a WebP decoder implementation in safe Rust in the image crate: https://github.com/image-rs/image

    It used to be quite incomplete for a long time, but work last year has implemented many webp features. Chromium now has a policy of allowing the use of Rust dependencies, so maybe Chromium could start adopting it?

  • ZLib

    A massively spiffy yet delicately unobtrusive compression library.

    So the real issue here is that the lack of tree validation before the tree construction, I believe. I'm surprised that this check was not yet implemented (I actually checked libwebp to make sure that I was missing one). Given this blind spot, an automated test based on the domain knowledge is likely useless to catch this bug.

    [1] https://github.com/madler/zlib/blob/master/examples/enough.c

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Ouch - simple compression and decompression for your terminal

    2 projects | /r/commandline | 7 Jan 2023
  • Lossless Log Aggregation

    3 projects | news.ycombinator.com | 5 Dec 2024
  • Google says replacing C/C++ in firmware with Rust is easy

    2 projects | news.ycombinator.com | 8 Sep 2024
  • Dynamic watermarking on the JVM

    1 project | dev.to | 4 Jul 2024
  • vu128: Efficient variable-length integers

    2 projects | news.ycombinator.com | 23 May 2024