Check for addition overflows in vpx_img_set_rect()

author Wan-Teh Chang <wtc@google.com>

Thu, 8 Jul 2021 22:17:48 +0000 (15:17 -0700)

committer James Zern <jzern@google.com>

Fri, 9 Jul 2021 19:48:00 +0000 (12:48 -0700)
author Wan-Teh Chang <wtc@google.com>
Thu, 8 Jul 2021 22:17:48 +0000 (15:17 -0700)
committer James Zern <jzern@google.com>
Fri, 9 Jul 2021 19:48:00 +0000 (12:48 -0700)
diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c

index 2a7afc00c21103267fe40a68983aec125b3ba2bd..f9f0dd6025d249274467146718158a59285c47b7 100644 (file)
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
   *  be found in the AUTHORS file in the root of the source tree.
   */
  
+#include <limits.h>
  #include <stdlib.h>
  #include <string.h>
  
@@ -152,9 +153,8 @@ vpx_image_t *vpx_img_wrap(vpx_image_t *img, vpx_img_fmt_t fmt, unsigned int d_w,
  
  int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y,
                       unsigned int w, unsigned int h) {
-  unsigned char *data;
-
-  if (x + w <= img->w && y + h <= img->h) {
+  if (x <= UINT_MAX - w && x + w <= img->w && y <= UINT_MAX - h &&
+      y + h <= img->h) {
      img->d_w = w;
      img->d_h = h;
  
@@ -165,7 +165,7 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y,
      } else {
        const int bytes_per_sample =
            (img->fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? 2 : 1;
-      data = img->img_data;
+      unsigned char *data = img->img_data;
  
        if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {
          img->planes[VPX_PLANE_ALPHA] =
author	Wan-Teh Chang <wtc@google.com>
	Thu, 8 Jul 2021 22:17:48 +0000 (15:17 -0700)
committer	James Zern <jzern@google.com>
	Fri, 9 Jul 2021 19:48:00 +0000 (12:48 -0700)