mirror of
https://github.com/webmproject/libwebp.git
synced 2024-12-27 06:08:21 +01:00
WebPFlipBuffer: fix integer overflow
with large scale values the offset to the end of the buffer may exceed 32-bits range. src/dec/buffer_dec.c:158:39: runtime error: signed integer overflow: 2 * 1275068416 cannot be represented in type 'int' #0 0x56444802bea5 in WebPFlipBuffer src/dec/buffer_dec.c:158:39 Bug: chromium:1196850 Change-Id: I08c8b69ada5d5dd3e9bf2b9006dffa0c5f2103a5
This commit is contained in:
parent
109ff0f100
commit
d38bd0dda0
@ -155,11 +155,11 @@ VP8StatusCode WebPFlipBuffer(WebPDecBuffer* const buffer) {
|
|||||||
}
|
}
|
||||||
if (WebPIsRGBMode(buffer->colorspace)) {
|
if (WebPIsRGBMode(buffer->colorspace)) {
|
||||||
WebPRGBABuffer* const buf = &buffer->u.RGBA;
|
WebPRGBABuffer* const buf = &buffer->u.RGBA;
|
||||||
buf->rgba += (buffer->height - 1) * buf->stride;
|
buf->rgba += (int64_t)(buffer->height - 1) * buf->stride;
|
||||||
buf->stride = -buf->stride;
|
buf->stride = -buf->stride;
|
||||||
} else {
|
} else {
|
||||||
WebPYUVABuffer* const buf = &buffer->u.YUVA;
|
WebPYUVABuffer* const buf = &buffer->u.YUVA;
|
||||||
const int H = buffer->height;
|
const int64_t H = buffer->height;
|
||||||
buf->y += (H - 1) * buf->y_stride;
|
buf->y += (H - 1) * buf->y_stride;
|
||||||
buf->y_stride = -buf->y_stride;
|
buf->y_stride = -buf->y_stride;
|
||||||
buf->u += ((H - 1) >> 1) * buf->u_stride;
|
buf->u += ((H - 1) >> 1) * buf->u_stride;
|
||||||
|
Loading…
Reference in New Issue
Block a user