shithub: libvpx

Download patch

ref: 69fc604636f740a57482f3898c2527d29663ee6d
parent: df7dc31cdfaa81e20fd0f4aed4c5eff037f484c4
author: Wan-Teh Chang <wtc@google.com>
date: Thu Jul 8 11:17:48 EDT 2021 

Check for addition overflows in vpx_img_set_rect()

Check for x + w and y + h overflows in vpx_img_set_rect().

Move the declaration of the local variable 'data' to the block it is
used in.

Change-Id: I6bda875e1853c03135ec6ce29015bcc78bb8b7ba


--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -152,9 +153,8 @@
 
 int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y,
                      unsigned int w, unsigned int h) {
-  unsigned char *data;
-
-  if (x + w <= img->w && y + h <= img->h) {
+  if (x <= UINT_MAX - w && x + w <= img->w && y <= UINT_MAX - h &&
+      y + h <= img->h) {
     img->d_w = w;
     img->d_h = h;
 
@@ -165,7 +165,7 @@
     } else {
       const int bytes_per_sample =
           (img->fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? 2 : 1;
-      data = img->img_data;
+      unsigned char *data = img->img_data;
 
       if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {
         img->planes[VPX_PLANE_ALPHA] =