mirror of
https://github.com/webmproject/libwebp.git
synced 2025-01-15 17:18:23 +01:00
Loosen the buffer size checks for Y/U/V/A too.
(follow-up to 15ca5014
)
Change-Id: Ia122e96f616bd6317c24b69c9534cb7919b8a4a4
This commit is contained in:
parent
15ca5014f1
commit
017f8cccec
@ -33,6 +33,11 @@ static int IsValidColorspace(int webp_csp_mode) {
|
|||||||
return (webp_csp_mode >= MODE_RGB && webp_csp_mode < MODE_LAST);
|
return (webp_csp_mode >= MODE_RGB && webp_csp_mode < MODE_LAST);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// strictly speaking, the very last (or first, if flipped) row
|
||||||
|
// doesn't require padding.
|
||||||
|
#define MIN_BUFFER_SIZE(WIDTH, HEIGHT, STRIDE) \
|
||||||
|
(uint64_t)(STRIDE) * ((HEIGHT) - 1) + (WIDTH)
|
||||||
|
|
||||||
static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
|
static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
|
||||||
int ok = 1;
|
int ok = 1;
|
||||||
const WEBP_CSP_MODE mode = buffer->colorspace;
|
const WEBP_CSP_MODE mode = buffer->colorspace;
|
||||||
@ -42,20 +47,22 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
|
|||||||
ok = 0;
|
ok = 0;
|
||||||
} else if (!WebPIsRGBMode(mode)) { // YUV checks
|
} else if (!WebPIsRGBMode(mode)) { // YUV checks
|
||||||
const WebPYUVABuffer* const buf = &buffer->u.YUVA;
|
const WebPYUVABuffer* const buf = &buffer->u.YUVA;
|
||||||
|
const int uv_width = (width + 1) / 2;
|
||||||
|
const int uv_height = (height + 1) / 2;
|
||||||
const int y_stride = abs(buf->y_stride);
|
const int y_stride = abs(buf->y_stride);
|
||||||
const int u_stride = abs(buf->u_stride);
|
const int u_stride = abs(buf->u_stride);
|
||||||
const int v_stride = abs(buf->v_stride);
|
const int v_stride = abs(buf->v_stride);
|
||||||
const int a_stride = abs(buf->a_stride);
|
const int a_stride = abs(buf->a_stride);
|
||||||
const uint64_t y_size = (uint64_t)y_stride * height;
|
const uint64_t y_size = MIN_BUFFER_SIZE(width, height, y_stride);
|
||||||
const uint64_t u_size = (uint64_t)u_stride * ((height + 1) / 2);
|
const uint64_t u_size = MIN_BUFFER_SIZE(uv_width, uv_height, u_stride);
|
||||||
const uint64_t v_size = (uint64_t)v_stride * ((height + 1) / 2);
|
const uint64_t v_size = MIN_BUFFER_SIZE(uv_width, uv_height, v_stride);
|
||||||
const uint64_t a_size = (uint64_t)a_stride * height;
|
const uint64_t a_size = MIN_BUFFER_SIZE(width, height, a_stride);
|
||||||
ok &= (y_size <= buf->y_size);
|
ok &= (y_size <= buf->y_size);
|
||||||
ok &= (u_size <= buf->u_size);
|
ok &= (u_size <= buf->u_size);
|
||||||
ok &= (v_size <= buf->v_size);
|
ok &= (v_size <= buf->v_size);
|
||||||
ok &= (y_stride >= width);
|
ok &= (y_stride >= width);
|
||||||
ok &= (u_stride >= (width + 1) / 2);
|
ok &= (u_stride >= uv_width);
|
||||||
ok &= (v_stride >= (width + 1) / 2);
|
ok &= (v_stride >= uv_width);
|
||||||
ok &= (buf->y != NULL);
|
ok &= (buf->y != NULL);
|
||||||
ok &= (buf->u != NULL);
|
ok &= (buf->u != NULL);
|
||||||
ok &= (buf->v != NULL);
|
ok &= (buf->v != NULL);
|
||||||
@ -67,15 +74,14 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
|
|||||||
} else { // RGB checks
|
} else { // RGB checks
|
||||||
const WebPRGBABuffer* const buf = &buffer->u.RGBA;
|
const WebPRGBABuffer* const buf = &buffer->u.RGBA;
|
||||||
const int stride = abs(buf->stride);
|
const int stride = abs(buf->stride);
|
||||||
// strictly speaking, the very last (or first, if flipped) row
|
const uint64_t size = MIN_BUFFER_SIZE(width, height, stride);
|
||||||
// doesn't require padding.
|
|
||||||
const uint64_t size = (uint64_t)stride * (height - 1) + width;
|
|
||||||
ok &= (size <= buf->size);
|
ok &= (size <= buf->size);
|
||||||
ok &= (stride >= width * kModeBpp[mode]);
|
ok &= (stride >= width * kModeBpp[mode]);
|
||||||
ok &= (buf->rgba != NULL);
|
ok &= (buf->rgba != NULL);
|
||||||
}
|
}
|
||||||
return ok ? VP8_STATUS_OK : VP8_STATUS_INVALID_PARAM;
|
return ok ? VP8_STATUS_OK : VP8_STATUS_INVALID_PARAM;
|
||||||
}
|
}
|
||||||
|
#undef MIN_BUFFER_SIZE
|
||||||
|
|
||||||
static VP8StatusCode AllocateBuffer(WebPDecBuffer* const buffer) {
|
static VP8StatusCode AllocateBuffer(WebPDecBuffer* const buffer) {
|
||||||
const int w = buffer->width;
|
const int w = buffer->width;
|
||||||
|
Loading…
Reference in New Issue
Block a user