This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch geckoview-102.3.0esr-12.0-1 in repository tor-browser.
commit 4805e26a3fa23020dc437a3c12ac34356dbf6027 Author: Timothy Nikkel tnikkel@gmail.com AuthorDate: Tue Aug 23 08:42:49 2022 +0000
Bug 1784835. Use checkedint in webp encoder to avoid overflow. r=aosmond, a=RyanVM --- image/encoders/webp/nsWebPEncoder.cpp | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/image/encoders/webp/nsWebPEncoder.cpp b/image/encoders/webp/nsWebPEncoder.cpp index 38c4f2ce4c288..c7ae125aae40f 100644 --- a/image/encoders/webp/nsWebPEncoder.cpp +++ b/image/encoders/webp/nsWebPEncoder.cpp @@ -103,12 +103,20 @@ nsWebPEncoder::InitFromData(const uint8_t* aData,
size_t size = 0;
+ CheckedInt32 width = CheckedInt32(aWidth); + CheckedInt32 height = CheckedInt32(aHeight); + CheckedInt32 stride = CheckedInt32(aStride); + if (!width.isValid() || !height.isValid() || !stride.isValid() || + !(CheckedUint32(aStride) * CheckedUint32(aHeight)).isValid()) { + return NS_ERROR_INVALID_ARG; + } + if (aInputFormat == INPUT_FORMAT_RGB) { - size = - WebPEncodeRGB(aData, aWidth, aHeight, aStride, quality, &mImageBuffer); + size = WebPEncodeRGB(aData, width.value(), height.value(), stride.value(), + quality, &mImageBuffer); } else if (aInputFormat == INPUT_FORMAT_RGBA) { - size = - WebPEncodeRGBA(aData, aWidth, aHeight, aStride, quality, &mImageBuffer); + size = WebPEncodeRGBA(aData, width.value(), height.value(), stride.value(), + quality, &mImageBuffer); } else if (aInputFormat == INPUT_FORMAT_HOSTARGB) { UniquePtr<uint8_t[]> aDest = MakeUnique<uint8_t[]>(aStride * aHeight);
@@ -135,8 +143,8 @@ nsWebPEncoder::InitFromData(const uint8_t* aData, } }
- size = WebPEncodeRGBA(aDest.get(), aWidth, aHeight, aStride, quality, - &mImageBuffer); + size = WebPEncodeRGBA(aDest.get(), width.value(), height.value(), + stride.value(), quality, &mImageBuffer); }
mFinished = true;