)]}' { "commit": "24771efd79239a736dcdda2eecfd1ecffcdd7545", "tree": "287d5652a1719deb3973f34c1d74ea05d57cb0f4", "parents": [ "37e47b664e8d7c37e60a6b056cc4959b791fe879" ], "author": { "name": "Jason Simmons", "email": "jason-simmons@users.noreply.github.com", "time": "Mon Jun 15 13:26:35 2026 +0000" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Jun 15 13:26:35 2026 +0000" }, "message": "In the APNG decoder, validate the chunk data length before calling GetChunkSize to avoid potential overflow in the chunk size calculation (#187949)\n\nBefore this PR, APNGImageGenerator::IsValidChunkHeader was calling\nGetChunkSize to check whether the buffer had sufficient capacity for the\nchunk.\nThe chunk contains a 32-bit data length field, and GetChunkSize\ncalculates the chunk size as a size_t. If size_t is 32-bit and the chunk\ndata length is malformed, then the calculation could overflow and return\nan incorrect result.\n\nThis PR verifies that the chunk\u0027s data length fits within the remaining\ncapacity of the buffer before using the length in calculations.\n\nSee https://github.com/flutter/flutter/pull/187701\n\n---------\n\nCo-authored-by: Himanshu Anand \u003canand.himanshu17@gmail.com\u003e", "tree_diff": [ { "type": "modify", "old_id": "307bb5b5fc34dfbdfd09efba6feea056c87a971e", "old_mode": 33188, "old_path": "engine/src/flutter/lib/ui/painting/image_generator_apng.cc", "new_id": "dc646b593dd1cf842fcacd55eab5e4e85640ba2f", "new_mode": 33188, "new_path": "engine/src/flutter/lib/ui/painting/image_generator_apng.cc" }, { "type": "modify", "old_id": "283d07d5fb7ab1a2d1cddce63ae3a7c28fc92df2", "old_mode": 33188, "old_path": "engine/src/flutter/lib/ui/painting/image_generator_apng_unittests.cc", "new_id": "e626621711edb6d453d8ac4db1610a5a409e570b", "new_mode": 33188, "new_path": "engine/src/flutter/lib/ui/painting/image_generator_apng_unittests.cc" } ] }