dany/libwebp
1
0
Fork 0
mirror of https://github.com/webmproject/libwebp.git synced 2024-11-20 12:28:26 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

GetHistoBits: fix integer overflow

Browse Source 
huff_image_size was a size_t (=32 bits with 32-bit builds) which could
rollover causing an incorrectly sized allocation and a crash in lossless
encoding.
fixes issue #128

Change-Id: I0f20cee98c29b2b40b02607930b6b7a7ca56996d
This commit is contained in:
James Zern 2012-10-03 12:14:44 -07:00
parent b30add2017
commit f9cb58fbce
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/enc/vp8l.c
View File

@ -903,13 +903,13 @@ static int GetHistoBits(const WebPConfig* const config,
const WebPPicture* const pic) { const WebPPicture* const pic) {
const int width = pic->width; const int width = pic->width;
const int height = pic->height; const int height = pic->height;
const size_t hist_size = sizeof(VP8LHistogram); const uint64_t hist_size = sizeof(VP8LHistogram);
// Make tile size a function of encoding method (Range: 0 to 6). // Make tile size a function of encoding method (Range: 0 to 6).
int histo_bits = 7 - config->method; int histo_bits = 7 - config->method;
while (1) { while (1) {
const size_t huff_image_size = VP8LSubSampleSize(width, histo_bits) * const uint64_t huff_image_size = VP8LSubSampleSize(width, histo_bits) *
VP8LSubSampleSize(height, histo_bits) * VP8LSubSampleSize(height, histo_bits) *
hist_size; hist_size;
if (huff_image_size <= MAX_HUFF_IMAGE_SIZE) break; if (huff_image_size <= MAX_HUFF_IMAGE_SIZE) break;
++histo_bits; ++histo_bits;
} }