diff options
author | scherkus@chromium.org <scherkus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-12 21:23:09 +0000 |
---|---|---|
committer | scherkus@chromium.org <scherkus@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-12 21:23:09 +0000 |
commit | 87472531ff66a58cfc04ea6adfa112be2a92205d (patch) | |
tree | c9d55a7c70566a9f30477da0767a613f2d308fca /third_party | |
parent | 498e623c873be862a3951c5ef433ca6f133a59f0 (diff) | |
download | chromium_src-87472531ff66a58cfc04ea6adfa112be2a92205d.zip chromium_src-87472531ff66a58cfc04ea6adfa112be2a92205d.tar.gz chromium_src-87472531ff66a58cfc04ea6adfa112be2a92205d.tar.bz2 |
libwebp: fix some int <-> size_t mix for buffer sizes
This is to prevent overflow to negative.
(althought we're testing total_size = (size_t)total_size)
Patch by skal@google.com.
BUG=136894
TEST=none
Review URL: https://chromiumcodereview.appspot.com/10690171
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@146440 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/libwebp/README.chromium | 1 | ||||
-rw-r--r-- | third_party/libwebp/dec/buffer.c | 23 | ||||
-rw-r--r-- | third_party/libwebp/webp/decode.h | 8 | ||||
-rw-r--r-- | third_party/libwebp/webp/types.h | 2 |
4 files changed, 19 insertions, 15 deletions
diff --git a/third_party/libwebp/README.chromium b/third_party/libwebp/README.chromium index 525267b..8f2266d 100644 --- a/third_party/libwebp/README.chromium +++ b/third_party/libwebp/README.chromium @@ -23,6 +23,7 @@ Local changes: * Merged COPYING/PATENTS to LICENSE * Add BGRX and RGBX variants to the WEBPImportPicture API (needs to be upstreamed to libwebp master). + * Fix for possible int / size_t overflow in buffer-size calculations Upstream cherry-picks: 7bb6a9c idec: fix internal state corruption 89cd1bb idec: fix WebPIUpdate failure diff --git a/third_party/libwebp/dec/buffer.c b/third_party/libwebp/dec/buffer.c index a190f1f..caaf2f0 100644 --- a/third_party/libwebp/dec/buffer.c +++ b/third_party/libwebp/dec/buffer.c @@ -30,11 +30,11 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) { const int height = buffer->height; if (mode >= MODE_YUV) { // YUV checks const WebPYUVABuffer* const buf = &buffer->u.YUVA; - const int size = buf->y_stride * height; - const int u_size = buf->u_stride * ((height + 1) / 2); - const int v_size = buf->v_stride * ((height + 1) / 2); - const int a_size = buf->a_stride * height; - ok &= (size <= buf->y_size); + const uint64_t y_size = (uint64_t)buf->y_stride * height; + const uint64_t u_size = (uint64_t)buf->u_stride * ((height + 1) / 2); + const uint64_t v_size = (uint64_t)buf->v_stride * ((height + 1) / 2); + const uint64_t a_size = (uint64_t)buf->a_stride * height; + ok &= (y_size <= buf->y_size); ok &= (u_size <= buf->u_size); ok &= (v_size <= buf->v_size); ok &= (a_size <= buf->a_size); @@ -46,7 +46,8 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) { } } else { // RGB checks const WebPRGBABuffer* const buf = &buffer->u.RGBA; - ok &= (buf->stride * height <= buf->size); + const uint64_t size = (uint64_t)buf->stride * height; + ok &= (size <= buf->size); ok &= (buf->stride >= width * kModeBpp[mode]); } return ok ? VP8_STATUS_OK : VP8_STATUS_INVALID_PARAM; @@ -95,23 +96,23 @@ static VP8StatusCode AllocateBuffer(WebPDecBuffer* const buffer) { WebPYUVABuffer* const buf = &buffer->u.YUVA; buf->y = output; buf->y_stride = stride; - buf->y_size = (int)size; + buf->y_size = (size_t)size; buf->u = output + size; buf->u_stride = uv_stride; - buf->u_size = (int)uv_size; + buf->u_size = (size_t)uv_size; buf->v = output + size + uv_size; buf->v_stride = uv_stride; - buf->v_size = (int)uv_size; + buf->v_size = (size_t)uv_size; if (mode == MODE_YUVA) { buf->a = output + size + 2 * uv_size; } - buf->a_size = (int)a_size; + buf->a_size = (size_t)a_size; buf->a_stride = a_stride; } else { // RGBA initialization WebPRGBABuffer* const buf = &buffer->u.RGBA; buf->rgba = output; buf->stride = stride; - buf->size = (int)size; + buf->size = (size_t)size; } } return CheckDecBuffer(buffer); diff --git a/third_party/libwebp/webp/decode.h b/third_party/libwebp/webp/decode.h index fe5fa4a..5c544d3 100644 --- a/third_party/libwebp/webp/decode.h +++ b/third_party/libwebp/webp/decode.h @@ -122,7 +122,7 @@ typedef enum { MODE_RGB = 0, MODE_RGBA = 1, typedef struct { // view as RGBA uint8_t* rgba; // pointer to RGBA samples int stride; // stride in bytes from one scanline to the next. - int size; // total size of the *rgba buffer. + size_t size; // total size of the *rgba buffer. } WebPRGBABuffer; typedef struct { // view as YUVA @@ -130,9 +130,9 @@ typedef struct { // view as YUVA int y_stride; // luma stride int u_stride, v_stride; // chroma strides int a_stride; // alpha stride - int y_size; // luma plane size - int u_size, v_size; // chroma planes size - int a_size; // alpha-plane size + size_t y_size; // luma plane size + size_t u_size, v_size; // chroma planes size + size_t a_size; // alpha-plane size } WebPYUVABuffer; // Output buffer diff --git a/third_party/libwebp/webp/types.h b/third_party/libwebp/webp/types.h index 2882364..d9ecda6 100644 --- a/third_party/libwebp/webp/types.h +++ b/third_party/libwebp/webp/types.h @@ -12,6 +12,8 @@ #ifndef WEBP_WEBP_TYPES_H_ #define WEBP_WEBP_TYPES_H_ +#include <stddef.h> // for size_t + #ifndef _MSC_VER #include <inttypes.h> #else |