dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2026-02-08 11:06:41 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

anim_decode: fix overflow in ZeroFillFrameRect

Browse Source 
This function was missed in 1c364400 (prevent 32b overflow for very
large canvas_width / height) when related functions were updated.

Bug: 481737032
Change-Id: If55cc0490e5ed4f3fc3da07d9b4a5cd921a107ee
This commit is contained in:
James Zern
2026-02-04 16:44:48 -08:00
parent 45102247a8
commit d29e00aa70
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/demux/anim_decode.c
View File

@@ -178,8 +178,10 @@ WEBP_NODISCARD static int ZeroFillCanvas(uint8_t* buf, uint32_t canvas_width,
static void ZeroFillFrameRect(uint8_t* buf, int buf_stride, int x_offset,
int y_offset, int width, int height) {
int j;
const uint32_t x = (uint32_t)x_offset * NUM_CHANNELS; // 26 bits
const uint64_t y = (uint64_t)y_offset * buf_stride;
assert(width * NUM_CHANNELS <= buf_stride);
buf += y_offset * buf_stride + x_offset * NUM_CHANNELS;
buf += y + x;
for (j = 0; j < height; ++j) {
WEBP_UNSAFE_MEMSET(buf, 0, width * NUM_CHANNELS);
buf += buf_stride;