From d38bd0dda0cca47777700771b275574cc23598ca Mon Sep 17 00:00:00 2001
From: "jzern@google.com" <jzern@google.com>
Date: Wed, 9 Jun 2021 23:49:04 +0000
Subject: [PATCH] WebPFlipBuffer: fix integer overflow

with large scale values the offset to the end of the buffer may exceed
32-bits range.

src/dec/buffer_dec.c:158:39: runtime error: signed integer overflow: 2 *
1275068416 cannot be represented in type 'int'
  #0 0x56444802bea5 in WebPFlipBuffer src/dec/buffer_dec.c:158:39

Bug: chromium:1196850
Change-Id: I08c8b69ada5d5dd3e9bf2b9006dffa0c5f2103a5
---
 src/dec/buffer_dec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/dec/buffer_dec.c b/src/dec/buffer_dec.c
index 58173fba..4786cf0d 100644
--- a/src/dec/buffer_dec.c
+++ b/src/dec/buffer_dec.c
@@ -155,11 +155,11 @@ VP8StatusCode WebPFlipBuffer(WebPDecBuffer* const buffer) {
   }
   if (WebPIsRGBMode(buffer->colorspace)) {
     WebPRGBABuffer* const buf = &buffer->u.RGBA;
-    buf->rgba += (buffer->height - 1) * buf->stride;
+    buf->rgba += (int64_t)(buffer->height - 1) * buf->stride;
     buf->stride = -buf->stride;
   } else {
     WebPYUVABuffer* const buf = &buffer->u.YUVA;
-    const int H = buffer->height;
+    const int64_t H = buffer->height;
     buf->y += (H - 1) * buf->y_stride;
     buf->y_stride = -buf->y_stride;
     buf->u += ((H - 1) >> 1) * buf->u_stride;