Libwebp v1.0.0 存在CVE-2023-4863漏洞

[LjzJohn]

近期谷歌披露了WebP组件的高危漏洞CVE-2023-4863
由于该组件存在边界错误，远程攻击者可以通过精心构造的webp图片，触发基于堆的缓冲区溢出并在目标系统上执行任意代码
https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

[LjzJohn]

[Log - HEAD - webm/libwebp - Git at Google (googlesource.com)
](https://chromium.googlesource.com/webm/libwebp/+log)
可以从libwebp的commit log看出来，在1.3.2前修复了这个问题

[ThisIsJieZhang]

[Log - HEAD - webm/libwebp - Git at Google (googlesource.com) ](https://chromium.googlesource.com/webm/libwebp/+log) 可以从libwebp的commit log看出来，在1.3.2前修复了这个问题

fresco4.2以上版本是走系统的解码，源码里面依赖的libwep只是针对4.2以下版本才有用的

[lucidreamiss]

[Log - HEAD - webm/libwebp - Git at Google (googlesource.com) ](https://chromium.googlesource.com/webm/libwebp/+log) 可以从libwebp的commit log看出来，在1.3.2前修复了这个问题

fresco4.2以上版本是走系统的解码，源码里面依赖的libwep只是针对4.2以下版本才有用的

这是在哪做的判断呀，源码里么

[linsui]

fresco/fbcore/src/main/java/com/facebook/common/webp/WebpSupportStatus.java

Line 20 in ee08340

Build.VERSION.SDK_INT <= Build.VERSION_CODES.JELLY_BEAN_MR1;

[linsui]

I hope that fresco can update libwebp to 1.3.2 and force using it on all Android versions. Only the latest few Android versions will get the fix. Relying on the system webp support means exposing the users to attack.

[dengkeng]

https://blog.isosceles.com/the-webp-0day/ 里面描述的触发调用堆栈入口为WebPDecode，根据WebpSupportStatus.java里面的判断，只针对nativeDecodeStream与nativeDecodeByteArray这2个函数，那么WebPFrame_nativeRenderFrame是否也可能受到影响，因为WebPFrame_nativeRenderFrame也会调用到WebPDecode，该接口是否也有可能受到该漏洞的影响?

[oprisnik]

Please use Fresco version 3.1.3+ which has a newer version of libwebp.