fix(security): validate pixel-buffer bounds and widen size math

WebPEncoder:
- New ValidatePixelBuffer helper enforces width/height <= WEBP_MAX_DIMENSION,
  stride >= width*bytesPerPixel, and pixels.Length >= stride*height
  (long-widened to avoid int32 overflow). Without this, libwebp reads
  past the end of the pinned managed buffer if the caller mis-declares
  dimensions, exposing adjacent GC heap memory.
- Encode(byte[],..., float) result-length cast guards against
  size_t > int.MaxValue truncation.

WebPDecoder:
- Decode(byte[],...) reads dimensions via WebPGetInfo, rejects values
  outside (0, WEBP_MAX_DIMENSION], and uses long arithmetic for
  stride*height to detect overflow before allocation.
- Decode(byte[], byte[], stride, format) now validates output.Length
  >= stride*height before handing the pointer to libwebp.

Author: lilith

src/Imazen.WebP/WebPDecoder.cs

@@ -53,12 +53,19 @@ public static byte[] Decode(byte[] data, out int width, out int height, WebPPixe
                     () => NativeMethods.WebPGetInfo(dataPtr, dataSize, ref w, ref h)) == 0)
                     throw new Exception("Invalid WebP header detected");
 
+                if (w <= 0 || h <= 0 || w > NativeMethods.WEBP_MAX_DIMENSION || h > NativeMethods.WEBP_MAX_DIMENSION)
+                    throw new InvalidDataException($"WebP dimensions out of range: {w}x{h}");
+
                 width = w;
                 height = h;
 
                 int bytesPerPixel = (format == WebPPixelFormat.Bgr || format == WebPPixelFormat.Rgb) ? 3 : 4;
-                int stride = w * bytesPerPixel;
-                byte[] output = new byte[stride * h];
+                long strideL = (long)w * bytesPerPixel;
+                long sizeL = strideL * h;
+                if (sizeL > int.MaxValue)
+                    throw new InvalidDataException($"Decoded buffer would exceed int.MaxValue: {sizeL} bytes");
+                int stride = (int)strideL;
+                byte[] output = new byte[(int)sizeL];
 
                 var outHandle = GCHandle.Alloc(output, GCHandleType.Pinned);
                 try
@@ -90,16 +97,35 @@ public static void Decode(byte[] data, byte[] output, int stride, WebPPixelForma
         {
             if (data == null) throw new ArgumentNullException(nameof(data));
             if (output == null) throw new ArgumentNullException(nameof(output));
-
+            if (stride <= 0) throw new ArgumentOutOfRangeException(nameof(stride));
+
+            // Verify the output buffer is large enough for the declared image
+            // before handing libwebp the raw pointer. libwebp itself checks
+            // output_buffer_size, but doing the check here makes the failure
+            // mode a managed exception (with parameter name) rather than a
+            // silent WebPDecode... return-NULL.
+            int w = 0, h = 0;
             var dataHandle = GCHandle.Alloc(data, GCHandleType.Pinned);
             var outHandle = GCHandle.Alloc(output, GCHandleType.Pinned);
             try
             {
                 IntPtr dataPtr = dataHandle.AddrOfPinnedObject();
                 IntPtr outPtr = outHandle.AddrOfPinnedObject();
                 UIntPtr dataSize = (UIntPtr)data.Length;
-                UIntPtr outSize = (UIntPtr)output.Length;
 
+                if (NativeLibraryLoader.FixDllNotFoundException("webp",
+                    () => NativeMethods.WebPGetInfo(dataPtr, dataSize, ref w, ref h)) == 0)
+                    throw new InvalidDataException("Invalid WebP header detected");
+                if (w <= 0 || h <= 0 || w > NativeMethods.WEBP_MAX_DIMENSION || h > NativeMethods.WEBP_MAX_DIMENSION)
+                    throw new InvalidDataException($"WebP dimensions out of range: {w}x{h}");
+
+                long needed = (long)stride * h;
+                if (output.Length < needed)
+                    throw new ArgumentException(
+                        $"output.Length {output.Length} is smaller than stride*height ({needed}).",
+                        nameof(output));
+
+                UIntPtr outSize = (UIntPtr)output.Length;
                 IntPtr result = DecodeInto(dataPtr, dataSize, outPtr, outSize, stride, format);
                 if (outPtr != result)
                     throw new Exception("Failed to decode WebP image");

src/Imazen.WebP/WebPEncoder.cs

@@ -52,6 +52,7 @@ public static byte[] Encode(byte[] pixels, int width, int height, int stride,
             if (pixels == null) throw new ArgumentNullException(nameof(pixels));
             if (width <= 0) throw new ArgumentOutOfRangeException(nameof(width));
             if (height <= 0) throw new ArgumentOutOfRangeException(nameof(height));
+            ValidatePixelBuffer(pixels, width, height, stride, format);
 
             var handle = GCHandle.Alloc(pixels, GCHandleType.Pinned);
             try
@@ -75,7 +76,11 @@ public static byte[] Encode(byte[] pixels, int width, int height, int stride,
 
                 try
                 {
-                    byte[] output = new byte[(int)(ulong)length];
+                    ulong len = (ulong)length;
+                    if (len > int.MaxValue)
+                        throw new InvalidOperationException(
+                            $"libwebp produced {len} bytes — exceeds int.MaxValue and cannot be returned as a byte[].");
+                    byte[] output = new byte[(int)len];
                     Marshal.Copy(result, output, 0, output.Length);
                     return output;
                 }
@@ -192,6 +197,7 @@ public static void Encode(byte[] pixels, int width, int height, int stride,
             if (width <= 0) throw new ArgumentOutOfRangeException(nameof(width));
             if (height <= 0) throw new ArgumentOutOfRangeException(nameof(height));
             if (outputStream == null) throw new ArgumentNullException(nameof(outputStream));
+            ValidatePixelBuffer(pixels, width, height, stride, format);
 
             if (!config.Validate())
                 throw new ArgumentException("Invalid WebP encoder configuration", nameof(config));
@@ -261,5 +267,31 @@ public static void Encode(byte[] pixels, int width, int height, int stride,
                 outputHandle.Free();
             }
         }
+
+        // Guards libwebp against an out-of-bounds read into the managed heap.
+        // libwebp reads stride * height bytes from the pinned pointer; the
+        // managed buffer must be at least that large. We also enforce the
+        // libwebp dimension cap so width*height won't silently wrap.
+        private static void ValidatePixelBuffer(byte[] pixels, int width, int height, int stride, WebPPixelFormat format)
+        {
+            if (width > NativeMethods.WEBP_MAX_DIMENSION || height > NativeMethods.WEBP_MAX_DIMENSION)
+                throw new ArgumentOutOfRangeException(nameof(width),
+                    $"width/height must be <= {NativeMethods.WEBP_MAX_DIMENSION}; got {width}x{height}.");
+
+            int bytesPerPixel = (format == WebPPixelFormat.Rgb || format == WebPPixelFormat.Bgr) ? 3 : 4;
+            long minStride = (long)width * bytesPerPixel;
+            // libwebp accepts negative strides only for bottom-up bitmaps in
+            // some entry points; we don't expose those entry points and require
+            // a positive stride large enough for one row.
+            if (stride < minStride)
+                throw new ArgumentOutOfRangeException(nameof(stride),
+                    $"stride {stride} is smaller than width*bytesPerPixel ({minStride}).");
+
+            long needed = (long)stride * height;
+            if (pixels.Length < needed)
+                throw new ArgumentException(
+                    $"pixels.Length {pixels.Length} is smaller than stride*height ({needed}).",
+                    nameof(pixels));
+        }
     }
 }