dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2024-11-20 04:18:26 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Export/EmitRescaledRowsRGBA: fix pointer offset int overflow

Browse Source 
in Export increment the dst pointer, but in EmitRescaledRowsRGBA use
64-bit math as the number of output lines is variable and may still
overflow when incrementing.

Bug: chromium:1196850
Change-Id: I5c65b875894ee9da0fef1e24d27e507171800c4a
This commit is contained in:
James Zern 2021-06-14 12:22:21 -07:00
parent 685d073ee1
commit 695bdaa2f6
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/dec/vp8l_dec.c
View File

@ -574,13 +574,14 @@ static int AllocateAndInitRescaler(VP8LDecoder* const dec, VP8Io* const io) {
static int Export(WebPRescaler* const rescaler, WEBP_CSP_MODE colorspace, static int Export(WebPRescaler* const rescaler, WEBP_CSP_MODE colorspace,
int rgba_stride, uint8_t* const rgba) { int rgba_stride, uint8_t* const rgba) {
uint32_t* const src = (uint32_t*)rescaler->dst; uint32_t* const src = (uint32_t*)rescaler->dst;
uint8_t* dst = rgba;
const int dst_width = rescaler->dst_width; const int dst_width = rescaler->dst_width;
int num_lines_out = 0; int num_lines_out = 0;
while (WebPRescalerHasPendingOutput(rescaler)) { while (WebPRescalerHasPendingOutput(rescaler)) {
uint8_t* const dst = rgba + num_lines_out * rgba_stride;
WebPRescalerExportRow(rescaler); WebPRescalerExportRow(rescaler);
WebPMultARGBRow(src, dst_width, 1); WebPMultARGBRow(src, dst_width, 1);
VP8LConvertFromBGRA(src, dst_width, colorspace, dst); VP8LConvertFromBGRA(src, dst_width, colorspace, dst);
dst += rgba_stride;
++num_lines_out; ++num_lines_out;
} }
return num_lines_out; return num_lines_out;
@ -594,8 +595,8 @@ static int EmitRescaledRowsRGBA(const VP8LDecoder* const dec,
int num_lines_in = 0; int num_lines_in = 0;
int num_lines_out = 0; int num_lines_out = 0;
while (num_lines_in < mb_h) { while (num_lines_in < mb_h) {
uint8_t* const row_in = in + num_lines_in * in_stride; uint8_t* const row_in = in + (uint64_t)num_lines_in * in_stride;
uint8_t* const row_out = out + num_lines_out * out_stride; uint8_t* const row_out = out + (uint64_t)num_lines_out * out_stride;
const int lines_left = mb_h - num_lines_in; const int lines_left = mb_h - num_lines_in;
const int needed_lines = WebPRescaleNeededLines(dec->rescaler, lines_left); const int needed_lines = WebPRescaleNeededLines(dec->rescaler, lines_left);
int lines_imported; int lines_imported;