WebPFlipBuffer: fix integer overflow

with large scale values the offset to the end of the buffer may exceed
32-bits range.

src/dec/buffer_dec.c:158:39: runtime error: signed integer overflow: 2 *
1275068416 cannot be represented in type 'int'
  #0 0x56444802bea5 in WebPFlipBuffer src/dec/buffer_dec.c:158:39

Bug: chromium:1196850
Change-Id: I08c8b69ada5d5dd3e9bf2b9006dffa0c5f2103a5
This commit is contained in:
jzern@google.com 2021-06-09 23:49:04 +00:00 committed by James Zern
parent 109ff0f100
commit d38bd0dda0

View File

@ -155,11 +155,11 @@ VP8StatusCode WebPFlipBuffer(WebPDecBuffer* const buffer) {
} }
if (WebPIsRGBMode(buffer->colorspace)) { if (WebPIsRGBMode(buffer->colorspace)) {
WebPRGBABuffer* const buf = &buffer->u.RGBA; WebPRGBABuffer* const buf = &buffer->u.RGBA;
buf->rgba += (buffer->height - 1) * buf->stride; buf->rgba += (int64_t)(buffer->height - 1) * buf->stride;
buf->stride = -buf->stride; buf->stride = -buf->stride;
} else { } else {
WebPYUVABuffer* const buf = &buffer->u.YUVA; WebPYUVABuffer* const buf = &buffer->u.YUVA;
const int H = buffer->height; const int64_t H = buffer->height;
buf->y += (H - 1) * buf->y_stride; buf->y += (H - 1) * buf->y_stride;
buf->y_stride = -buf->y_stride; buf->y_stride = -buf->y_stride;
buf->u += ((H - 1) >> 1) * buf->u_stride; buf->u += ((H - 1) >> 1) * buf->u_stride;