From d29e00aa708243ff9945989a0e4e3c8cf6dbf152 Mon Sep 17 00:00:00 2001 From: James Zern Date: Wed, 4 Feb 2026 16:44:48 -0800 Subject: [PATCH] anim_decode: fix overflow in ZeroFillFrameRect This function was missed in 1c364400 (prevent 32b overflow for very large canvas_width / height) when related functions were updated. Bug: 481737032 Change-Id: If55cc0490e5ed4f3fc3da07d9b4a5cd921a107ee --- src/demux/anim_decode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/demux/anim_decode.c b/src/demux/anim_decode.c index 259aaff7..de915e1b 100644 --- a/src/demux/anim_decode.c +++ b/src/demux/anim_decode.c @@ -178,8 +178,10 @@ WEBP_NODISCARD static int ZeroFillCanvas(uint8_t* buf, uint32_t canvas_width, static void ZeroFillFrameRect(uint8_t* buf, int buf_stride, int x_offset, int y_offset, int width, int height) { int j; + const uint32_t x = (uint32_t)x_offset * NUM_CHANNELS; // 26 bits + const uint64_t y = (uint64_t)y_offset * buf_stride; assert(width * NUM_CHANNELS <= buf_stride); - buf += y_offset * buf_stride + x_offset * NUM_CHANNELS; + buf += y + x; for (j = 0; j < height; ++j) { WEBP_UNSAFE_MEMSET(buf, 0, width * NUM_CHANNELS); buf += buf_stride;