Security Vulnerability - Action Required: Out-of-bounds Write vulnerability may in your project

[Crispy-fried-chicken]

Hi,
we have detected that your project may be vulnerable to Out-of-bounds Write in the function of ClearMetadata in the file of ext/libwebp/src/dec/vp8l_dec.c . It shares similarities to a recent CVE disclosure CVE-2023-4863 in the libwebp.

The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier: CVE-2023-4863
Description: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Reference: hhttps://nvd.nist.gov/vuln/detail/CVE-2023-4863
Patch: webmproject/libwebp@902bc91#diff-048cd0744572f0f96c1fd0a2115c8f6b4019473409d3584a348fce0f9e522b6cL268

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[Crispy-fried-chicken]

Hey @kjk, Thank you for your reply about this issue which is detected by our tools. Now we really want to know your thoughts about our tool. When you have a chance, could you please take a look at our tool? Specifically, we're interested in understanding:

1. Do you feel the detection results from our tool help enhance the security of your project?
2. Would you be willing to let us regularly scan your project in the future to identify potential vulnerabilities?
3. Our tool works by collecting patches from existing publicly disclosed vulnerabilities in real time and scanning target projects for the presence of identical code or similar logic. Do you have any suggestions for improving this vulnerability detection approach?
   Please feel free to tell me your thoughts, it's really important for us to improve our tool. Thank you!