From 3532891de4e7a94081f38a56008dbd41651b0ce1 Mon Sep 17 00:00:00 2001
From: Vincent Rabaud <vrabaud@google.com>
Date: Tue, 25 Nov 2025 12:42:39 +0100
Subject: [PATCH] Fix potential overflow in imageio

BUG: 836597550
Change-Id: I7c00f4cb831142113e6c27e632f989e8cd84ef76
---
 imageio/webpdec.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/imageio/webpdec.c b/imageio/webpdec.c
index 2ae8a97c..a289004e 100644
--- a/imageio/webpdec.c
+++ b/imageio/webpdec.c
@@ -196,7 +196,8 @@ int ReadWebP(const uint8_t* const data, size_t data_size,
 #endif
       output_buffer->u.RGBA.rgba = (uint8_t*)pic->argb;
       output_buffer->u.RGBA.stride = pic->argb_stride * sizeof(uint32_t);
-      output_buffer->u.RGBA.size = output_buffer->u.RGBA.stride * pic->height;
+      output_buffer->u.RGBA.size =
+          (size_t)output_buffer->u.RGBA.stride * pic->height;
     } else {
       output_buffer->colorspace = has_alpha ? MODE_YUVA : MODE_YUV;
       output_buffer->u.YUVA.y = pic->y;
@@ -207,10 +208,12 @@ int ReadWebP(const uint8_t* const data, size_t data_size,
       output_buffer->u.YUVA.u_stride = pic->uv_stride;
       output_buffer->u.YUVA.v_stride = pic->uv_stride;
       output_buffer->u.YUVA.a_stride = has_alpha ? pic->a_stride : 0;
-      output_buffer->u.YUVA.y_size = pic->height * pic->y_stride;
-      output_buffer->u.YUVA.u_size = (pic->height + 1) / 2 * pic->uv_stride;
-      output_buffer->u.YUVA.v_size = (pic->height + 1) / 2 * pic->uv_stride;
-      output_buffer->u.YUVA.a_size = pic->height * pic->a_stride;
+      output_buffer->u.YUVA.y_size = (size_t)pic->height * pic->y_stride;
+      output_buffer->u.YUVA.u_size =
+          (size_t)(pic->height + 1) / 2 * pic->uv_stride;
+      output_buffer->u.YUVA.v_size =
+          (size_t)(pic->height + 1) / 2 * pic->uv_stride;
+      output_buffer->u.YUVA.a_size = (size_t)pic->height * pic->a_stride;
     }
     output_buffer->is_external_memory = 1;