From 3307a349edfacd0296a849bc36a1c8105c3e62d4 Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Thu, 2 Apr 2026 12:29:44 -0700
Subject: [PATCH] anim_encode,KeyFramePenalty: add missing cast

`sub_frame.bitstream.size` is a `size_t`. This function intends to
calculate a signed penalty value from 2 instances of the variable. Both
need to be cast to `int64_t` to avoid the calculation being promoted to
unsigned when `size_t` is 64 bits.

Fixes a (harmless) unsigned overflow warning:

```
src/mux/anim_encode.c:1341:60: runtime error: unsigned integer overflow:
  106 - 108 cannot be represented in type 'size_t' (aka 'unsigned long')
```

Bug: 498967191
Change-Id: I45ce174437e5a9bfa856c4d6665f5a60869078b8
---
 src/mux/anim_encode.c              |  2 +-
 tests/fuzzer/animencoder_fuzzer.cc | 36 ++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/src/mux/anim_encode.c b/src/mux/anim_encode.c
index 87c4c32f..65c2abd5 100644
--- a/src/mux/anim_encode.c
+++ b/src/mux/anim_encode.c
@@ -1339,7 +1339,7 @@ End:
 // instead of a subframe.
 static int64_t KeyFramePenalty(const EncodedFrame* const encoded_frame) {
   return ((int64_t)encoded_frame->key_frame.bitstream.size -
-          encoded_frame->sub_frame.bitstream.size);
+          (int64_t)encoded_frame->sub_frame.bitstream.size);
 }
 
 static int CacheFrame(WebPAnimEncoder* const enc,
diff --git a/tests/fuzzer/animencoder_fuzzer.cc b/tests/fuzzer/animencoder_fuzzer.cc
index 407202ee..b9f9d054 100644
--- a/tests/fuzzer/animencoder_fuzzer.cc
+++ b/tests/fuzzer/animencoder_fuzzer.cc
@@ -21,6 +21,7 @@
 #include <vector>
 
 #include "./fuzz_utils.h"
+#include "gtest/gtest.h"
 #include "src/dsp/cpu.h"
 #include "webp/encode.h"
 #include "webp/mux.h"
@@ -208,3 +209,38 @@ FUZZ_TEST(AnimArbitraryEncoder, AnimEncoderTest)
             .WithMaxSize(15),
         /*optimization_index=*/
         fuzztest::InRange<uint32_t>(0, fuzz_utils::kMaxOptimizationIndex));
+
+TEST(AnimIndexEncoder, Buganizer498967191) {
+  auto GetWebPPicture = [](int index,
+                           bool use_argb) -> fuzz_utils::WebPPictureCpp {
+    WebPPicture pic = fuzz_utils::GetSourcePicture(index, use_argb);
+    return fuzz_utils::WebPPictureCpp(
+        use_argb, pic.colorspace, pic.width, pic.height, pic.y, pic.u, pic.v,
+        pic.y_stride, pic.uv_stride, pic.a, pic.a_stride, pic.argb,
+        pic.argb_stride, pic.memory_, pic.memory_argb_);
+  };
+  AnimEncoderTest(
+      false, {0, 1}, true,
+      {FrameConfig{1, 0, WebPConfig{0,  0.f, 6, static_cast<WebPImageHint>(3),
+                                    0,  0.f, 4, 0,
+                                    38, 7,   1, 0,
+                                    0,  0,   1, 10,
+                                    1,  1,   1, 10,
+                                    0,  0,   0, 20,
+                                    1,  0,   0, 0,
+                                    100},
+                   fuzz_utils::CropOrScaleParams{true, true, 6, 1, 2, 1},
+                   GetWebPPicture(0, true)},
+       FrameConfig{0, 7248,
+                   WebPConfig{1,   0.f, 1, static_cast<WebPImageHint>(3),
+                              0,   0.f, 1, 0,
+                              100, 0,   1, 0,
+                              1,   0,   0, 10,
+                              1,   1,   0, 10,
+                              0,   1,   0, 0,
+                              1,   0,   0, 0,
+                              100},
+                   fuzz_utils::CropOrScaleParams{true, true, 6, 8, 2, 1},
+                   GetWebPPicture(0, true)}},
+      1);
+}