dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2024-12-25 21:28:22 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix some int <-> size_t mix for buffer sizes

Browse Source 
could have led to some negative overflow on 32bit arch
(if it was not for the "total_size == (size_t)total_size" test)

Change-Id: I7640340b605b9c674d30dd58a1e2144707299683
This commit is contained in:
Pascal Massimino 2012-07-12 07:23:01 -07:00
parent 45b8272c31
commit b5e9067a28
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/dec/buffer.c
View File

@ -43,11 +43,11 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
ok = 0; ok = 0;
} else if (!WebPIsRGBMode(mode)) { // YUV checks } else if (!WebPIsRGBMode(mode)) { // YUV checks
const WebPYUVABuffer* const buf = &buffer->u.YUVA; const WebPYUVABuffer* const buf = &buffer->u.YUVA;
const size_t size = buf->y_stride * height; const uint64_t y_size = (uint64_t)buf->y_stride * height;
const size_t u_size = buf->u_stride * ((height + 1) / 2); const uint64_t u_size = (uint64_t)buf->u_stride * ((height + 1) / 2);
const size_t v_size = buf->v_stride * ((height + 1) / 2); const uint64_t v_size = (uint64_t)buf->v_stride * ((height + 1) / 2);
const size_t a_size = buf->a_stride * height; const uint64_t a_size = (uint64_t)buf->a_stride * height;
ok &= (size <= buf->y_size); ok &= (y_size <= buf->y_size);
ok &= (u_size <= buf->u_size); ok &= (u_size <= buf->u_size);
ok &= (v_size <= buf->v_size); ok &= (v_size <= buf->v_size);
ok &= (a_size <= buf->a_size); ok &= (a_size <= buf->a_size);
@ -59,7 +59,7 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
} }
} else { // RGB checks } else { // RGB checks
const WebPRGBABuffer* const buf = &buffer->u.RGBA; const WebPRGBABuffer* const buf = &buffer->u.RGBA;
const size_t size = buf->stride * height; const uint64_t size = (uint64_t)buf->stride * height;
ok &= (size <= buf->size); ok &= (size <= buf->size);
ok &= (buf->stride >= width * kModeBpp[mode]); ok &= (buf->stride >= width * kModeBpp[mode]);
} }
@ -108,23 +108,23 @@ static VP8StatusCode AllocateBuffer(WebPDecBuffer* const buffer) {
WebPYUVABuffer* const buf = &buffer->u.YUVA; WebPYUVABuffer* const buf = &buffer->u.YUVA;
buf->y = output; buf->y = output;
buf->y_stride = stride; buf->y_stride = stride;
buf->y_size = (int)size; buf->y_size = (size_t)size;
buf->u = output + size; buf->u = output + size;
buf->u_stride = uv_stride; buf->u_stride = uv_stride;
buf->u_size = (int)uv_size; buf->u_size = (size_t)uv_size;
buf->v = output + size + uv_size; buf->v = output + size + uv_size;
buf->v_stride = uv_stride; buf->v_stride = uv_stride;
buf->v_size = (int)uv_size; buf->v_size = (size_t)uv_size;
if (mode == MODE_YUVA) { if (mode == MODE_YUVA) {
buf->a = output + size + 2 * uv_size; buf->a = output + size + 2 * uv_size;
} }
buf->a_size = (int)a_size; buf->a_size = (size_t)a_size;
buf->a_stride = a_stride; buf->a_stride = a_stride;
} else { // RGBA initialization } else { // RGBA initialization
WebPRGBABuffer* const buf = &buffer->u.RGBA; WebPRGBABuffer* const buf = &buffer->u.RGBA;
buf->rgba = output; buf->rgba = output;
buf->stride = stride; buf->stride = stride;
buf->size = (int)size; buf->size = (size_t)size;
} }
} }
return CheckDecBuffer(buffer); return CheckDecBuffer(buffer);