mirror of
https://github.com/webmproject/libwebp.git
synced 2024-11-20 04:18:26 +01:00
demux: move padded size calc post unpadded validation
though the max chunk/payload sizes were checked and would fail the padded size was being calculated beforehand which could result in a (harmless) unsigned int overflow warning. Bug: webp:508 Change-Id: I4fa30ded2b027c1577b03049a2deeb7bf75e5472
This commit is contained in:
parent
05b72d4205
commit
6fb4cddc93
@ -221,12 +221,16 @@ static ParseStatus StoreFrame(int frame_num, uint32_t min_size,
|
|||||||
const size_t chunk_start_offset = mem->start_;
|
const size_t chunk_start_offset = mem->start_;
|
||||||
const uint32_t fourcc = ReadLE32(mem);
|
const uint32_t fourcc = ReadLE32(mem);
|
||||||
const uint32_t payload_size = ReadLE32(mem);
|
const uint32_t payload_size = ReadLE32(mem);
|
||||||
const uint32_t payload_size_padded = payload_size + (payload_size & 1);
|
uint32_t payload_size_padded;
|
||||||
const size_t payload_available = (payload_size_padded > MemDataSize(mem))
|
size_t payload_available;
|
||||||
? MemDataSize(mem) : payload_size_padded;
|
size_t chunk_size;
|
||||||
const size_t chunk_size = CHUNK_HEADER_SIZE + payload_available;
|
|
||||||
|
|
||||||
if (payload_size > MAX_CHUNK_PAYLOAD) return PARSE_ERROR;
|
if (payload_size > MAX_CHUNK_PAYLOAD) return PARSE_ERROR;
|
||||||
|
|
||||||
|
payload_size_padded = payload_size + (payload_size & 1);
|
||||||
|
payload_available = (payload_size_padded > MemDataSize(mem))
|
||||||
|
? MemDataSize(mem) : payload_size_padded;
|
||||||
|
chunk_size = CHUNK_HEADER_SIZE + payload_available;
|
||||||
if (SizeIsInvalid(mem, payload_size_padded)) return PARSE_ERROR;
|
if (SizeIsInvalid(mem, payload_size_padded)) return PARSE_ERROR;
|
||||||
if (payload_size_padded > MemDataSize(mem)) status = PARSE_NEED_MORE_DATA;
|
if (payload_size_padded > MemDataSize(mem)) status = PARSE_NEED_MORE_DATA;
|
||||||
|
|
||||||
@ -451,9 +455,11 @@ static ParseStatus ParseVP8XChunks(WebPDemuxer* const dmux) {
|
|||||||
const size_t chunk_start_offset = mem->start_;
|
const size_t chunk_start_offset = mem->start_;
|
||||||
const uint32_t fourcc = ReadLE32(mem);
|
const uint32_t fourcc = ReadLE32(mem);
|
||||||
const uint32_t chunk_size = ReadLE32(mem);
|
const uint32_t chunk_size = ReadLE32(mem);
|
||||||
const uint32_t chunk_size_padded = chunk_size + (chunk_size & 1);
|
uint32_t chunk_size_padded;
|
||||||
|
|
||||||
if (chunk_size > MAX_CHUNK_PAYLOAD) return PARSE_ERROR;
|
if (chunk_size > MAX_CHUNK_PAYLOAD) return PARSE_ERROR;
|
||||||
|
|
||||||
|
chunk_size_padded = chunk_size + (chunk_size & 1);
|
||||||
if (SizeIsInvalid(mem, chunk_size_padded)) return PARSE_ERROR;
|
if (SizeIsInvalid(mem, chunk_size_padded)) return PARSE_ERROR;
|
||||||
|
|
||||||
switch (fourcc) {
|
switch (fourcc) {
|
||||||
|
Loading…
Reference in New Issue
Block a user