From 29e34a0f3aa8b1490c334badcaadec898e76bf07 Mon Sep 17 00:00:00 2001
From: fedotoff <fedotoff@ispras.ru>
Date: Tue, 28 Feb 2023 17:55:38 +0300
Subject: [PATCH] webp: fix panic at memory allocation in readAlpha function

---
 webp/decode.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/webp/decode.go b/webp/decode.go
index d6eefd5..5527020 100644
--- a/webp/decode.go
+++ b/webp/decode.go
@@ -10,6 +10,7 @@ import (
 	"image"
 	"image/color"
 	"io"
+	"math/bits"
 
 	"golang.org/x/image/riff"
 	"golang.org/x/image/vp8"
@@ -154,10 +155,18 @@ func readAlpha(chunkData io.Reader, widthMinusOne, heightMinusOne uint32, compre
 	case 0:
 		w := int(widthMinusOne) + 1
 		h := int(heightMinusOne) + 1
-		alpha = make([]byte, w*h)
-		if _, err := io.ReadFull(chunkData, alpha); err != nil {
+		// Overflow check
+		if hi, _ := bits.Mul64(uint64(w), uint64(h)); hi != 0  {
+			return nil, 0, errInvalidFormat
+		}
+		size := w * h
+		alpha, err := io.ReadAll(io.LimitReader(chunkData, int64(size)))
+		if err != nil {
 			return nil, 0, err
 		}
+		if len(alpha) != size {
+			return nil, 0, errInvalidFormat
+		}
 		return alpha, w, nil
 
 	case 1: