dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2024-11-20 04:18:26 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix integer overflow in WebPAnimDecoderGetNext()

Browse Source 
Change-Id: Ic53263b6125ca125d5fb3791474eab78043fec18
This commit is contained in:
Yannis Guyon 2020-02-27 17:53:49 +01:00
parent 69776e3832
commit 27d082403c
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/demux/anim_decode.c
View File

@ -346,12 +346,15 @@ int WebPAnimDecoderGetNext(WebPAnimDecoder* dec,
{ {
const uint8_t* in = iter.fragment.bytes; const uint8_t* in = iter.fragment.bytes;
const size_t in_size = iter.fragment.size; const size_t in_size = iter.fragment.size;
const size_t out_offset = const uint32_t stride = width * NUM_CHANNELS; // at most 25 + 2 bits
(iter.y_offset * width + iter.x_offset) * NUM_CHANNELS; const uint64_t out_offset = (uint64_t)iter.y_offset * stride +
(uint64_t)iter.x_offset * NUM_CHANNELS; // 53b
const uint64_t size = (uint64_t)iter.height * stride; // at most 25 + 27b
WebPDecoderConfig* const config = &dec->config_; WebPDecoderConfig* const config = &dec->config_;
WebPRGBABuffer* const buf = &config->output.u.RGBA; WebPRGBABuffer* const buf = &config->output.u.RGBA;
buf->stride = NUM_CHANNELS * width; if ((size_t)size != size) goto Error;
buf->size = buf->stride * iter.height; buf->stride = (int)stride;
buf->size = (size_t)size;
buf->rgba = dec->curr_frame_ + out_offset; buf->rgba = dec->curr_frame_ + out_offset;
if (WebPDecode(in, in_size, config) != VP8_STATUS_OK) { if (WebPDecode(in, in_size, config) != VP8_STATUS_OK) {