diff options
| author | James Zern <jzern@google.com> | 2021-04-20 14:02:52 -0700 |
|---|---|---|
| committer | James Zern <jzern@google.com> | 2021-04-23 11:46:45 -0700 |
| commit | 595fa13f834e6a58a68304205b6a122d3795c3d9 (patch) | |
| tree | 1ac7e8bd5bc5fe685264cf0e5928112675b31af3 | |
| parent | 8fdaecb09deef5dcf1c1834ca4370ee3711c30e1 (diff) | |
| download | libwebp-595fa13f834e6a58a68304205b6a122d3795c3d9.tar.gz | |
add WebPCheckCropDimensions()
and avoid integer overflow in test of x/width and y/height parameters
against the image width/height
Bug: chromium:1196778, chromium:1196777, chromium:1196480
Change-Id: I7b8f1f4dbebfe073b1ba260b8317979488655dcc
| -rw-r--r-- | src/dec/buffer_dec.c | 3 | ||||
| -rw-r--r-- | src/dec/webp_dec.c | 9 | ||||
| -rw-r--r-- | src/dec/webpi_dec.h | 4 |
3 files changed, 13 insertions, 3 deletions
diff --git a/src/dec/buffer_dec.c b/src/dec/buffer_dec.c index 3cd94eb4..14339d0a 100644 --- a/src/dec/buffer_dec.c +++ b/src/dec/buffer_dec.c @@ -188,8 +188,7 @@ VP8StatusCode WebPAllocateDecBuffer(int width, int height, const int ch = options->crop_height; const int x = options->crop_left & ~1; const int y = options->crop_top & ~1; - if (x < 0 || y < 0 || cw <= 0 || ch <= 0 || - x + cw > width || y + ch > height) { + if (!WebPCheckCropDimensions(width, height, x, y, cw, ch)) { return VP8_STATUS_INVALID_PARAM; // out of frame boundary. } width = cw; diff --git a/src/dec/webp_dec.c b/src/dec/webp_dec.c index 43a7af50..2c694699 100644 --- a/src/dec/webp_dec.c +++ b/src/dec/webp_dec.c @@ -785,6 +785,13 @@ VP8StatusCode WebPDecode(const uint8_t* data, size_t data_size, //------------------------------------------------------------------------------ // Cropping and rescaling. +int WebPCheckCropDimensions(int image_width, int image_height, + int x, int y, int w, int h) { + return !(x < 0 || y < 0 || w <= 0 || h <= 0 || + x >= image_width || w > image_width || w > image_width - x || + y >= image_height || h > image_height || h > image_height - y); +} + int WebPIoInitFromOptions(const WebPDecoderOptions* const options, VP8Io* const io, WEBP_CSP_MODE src_colorspace) { const int W = io->width; @@ -802,7 +809,7 @@ int WebPIoInitFromOptions(const WebPDecoderOptions* const options, x &= ~1; y &= ~1; } - if (x < 0 || y < 0 || w <= 0 || h <= 0 || x + w > W || y + h > H) { + if (!WebPCheckCropDimensions(W, H, x, y, w, h)) { return 0; // out of frame boundary error } } diff --git a/src/dec/webpi_dec.h b/src/dec/webpi_dec.h index 24baff5d..3b97388c 100644 --- a/src/dec/webpi_dec.h +++ b/src/dec/webpi_dec.h @@ -77,6 +77,10 @@ VP8StatusCode WebPParseHeaders(WebPHeaderStructure* const headers); //------------------------------------------------------------------------------ // Misc utils +// Returns true if crop dimensions are within image bounds. +int WebPCheckCropDimensions(int image_width, int image_height, + int x, int y, int w, int h); + // Initializes VP8Io with custom setup, io and teardown functions. The default // hooks will use the supplied 'params' as io->opaque handle. void WebPInitCustomIo(WebPDecParams* const params, VP8Io* const io); |