[tbb-commits] [tor-browser] 21/73: Bug 1784835. Use checkedint in webp encoder to avoid overflow. r=aosmond, a=RyanVM
gitolite role
git at cupani.torproject.org
Wed Sep 21 20:17:14 UTC 2022
This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch geckoview-102.3.0esr-12.0-1
in repository tor-browser.
commit 4805e26a3fa23020dc437a3c12ac34356dbf6027
Author: Timothy Nikkel <tnikkel at gmail.com>
AuthorDate: Tue Aug 23 08:42:49 2022 +0000
Bug 1784835. Use checkedint in webp encoder to avoid overflow. r=aosmond, a=RyanVM
---
image/encoders/webp/nsWebPEncoder.cpp | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/image/encoders/webp/nsWebPEncoder.cpp b/image/encoders/webp/nsWebPEncoder.cpp
index 38c4f2ce4c288..c7ae125aae40f 100644
--- a/image/encoders/webp/nsWebPEncoder.cpp
+++ b/image/encoders/webp/nsWebPEncoder.cpp
@@ -103,12 +103,20 @@ nsWebPEncoder::InitFromData(const uint8_t* aData,
size_t size = 0;
+ CheckedInt32 width = CheckedInt32(aWidth);
+ CheckedInt32 height = CheckedInt32(aHeight);
+ CheckedInt32 stride = CheckedInt32(aStride);
+ if (!width.isValid() || !height.isValid() || !stride.isValid() ||
+ !(CheckedUint32(aStride) * CheckedUint32(aHeight)).isValid()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+
if (aInputFormat == INPUT_FORMAT_RGB) {
- size =
- WebPEncodeRGB(aData, aWidth, aHeight, aStride, quality, &mImageBuffer);
+ size = WebPEncodeRGB(aData, width.value(), height.value(), stride.value(),
+ quality, &mImageBuffer);
} else if (aInputFormat == INPUT_FORMAT_RGBA) {
- size =
- WebPEncodeRGBA(aData, aWidth, aHeight, aStride, quality, &mImageBuffer);
+ size = WebPEncodeRGBA(aData, width.value(), height.value(), stride.value(),
+ quality, &mImageBuffer);
} else if (aInputFormat == INPUT_FORMAT_HOSTARGB) {
UniquePtr<uint8_t[]> aDest = MakeUnique<uint8_t[]>(aStride * aHeight);
@@ -135,8 +143,8 @@ nsWebPEncoder::InitFromData(const uint8_t* aData,
}
}
- size = WebPEncodeRGBA(aDest.get(), aWidth, aHeight, aStride, quality,
- &mImageBuffer);
+ size = WebPEncodeRGBA(aDest.get(), width.value(), height.value(),
+ stride.value(), quality, &mImageBuffer);
}
mFinished = true;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the tbb-commits
mailing list