ref: 69fc604636f740a57482f3898c2527d29663ee6d
parent: df7dc31cdfaa81e20fd0f4aed4c5eff037f484c4
author: Wan-Teh Chang <wtc@google.com>
date: Thu Jul 8 11:17:48 EDT 2021
Check for addition overflows in vpx_img_set_rect() Check for x + w and y + h overflows in vpx_img_set_rect(). Move the declaration of the local variable 'data' to the block it is used in. Change-Id: I6bda875e1853c03135ec6ce29015bcc78bb8b7ba
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
* be found in the AUTHORS file in the root of the source tree.
*/
+#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -152,9 +153,8 @@
int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y,
unsigned int w, unsigned int h) {- unsigned char *data;
-
- if (x + w <= img->w && y + h <= img->h) {+ if (x <= UINT_MAX - w && x + w <= img->w && y <= UINT_MAX - h &&
+ y + h <= img->h) {img->d_w = w;
img->d_h = h;
@@ -165,7 +165,7 @@
} else {const int bytes_per_sample =
(img->fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? 2 : 1;
- data = img->img_data;
+ unsigned char *data = img->img_data;
if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {img->planes[VPX_PLANE_ALPHA] =