To follow up on my experiments with black-box detection of the
#BLASTPASS vuln[1] I looked into the source code of the dwebp sample used by Isosceles to demonstrate the trigger vs. vipsthumbnail where the vulnerable code doesn't seem to be reachable.
Based on the backtrace, dwebp enters the libwebp library via WebPDecode().
In contrast, vipsthumbnail uses the Demux API[2], and exits early when WebPDemux() reports an error (without triggering an OOB write).
This means that there are supported libwebp APIs that can catch at least some crafted inputs early, so proper error handling (not present in the official sample code btw...) can block exploitable paths.
Edit: After further digging (see reply) I'm pretty sure it's just the minimal PoC that doesn't pass the check in WebPDemux(), this shouldn't be a problem for a more complete input.
[1]:
https://infosec.place/notice/AaEVhdW3h60AsBaM9g[2]:
https://chromium.googlesource.com/webm/libwebp/+/HEAD/doc/api.md#demux-api