[tor-commits] [tor-browser] 21/73: Bug 1784835. Use checkedint in webp encoder to avoid overflow. r=aosmond, a=RyanVM

gitolite role git at cupani.torproject.org
Wed Sep 21 20:17:14 UTC 2022 

This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch geckoview-102.3.0esr-12.0-1
in repository tor-browser.

commit 4805e26a3fa23020dc437a3c12ac34356dbf6027
Author: Timothy Nikkel <tnikkel at gmail.com>
AuthorDate: Tue Aug 23 08:42:49 2022 +0000

    Bug 1784835. Use checkedint in webp encoder to avoid overflow. r=aosmond, a=RyanVM
---
 image/encoders/webp/nsWebPEncoder.cpp | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/image/encoders/webp/nsWebPEncoder.cpp b/image/encoders/webp/nsWebPEncoder.cpp
index 38c4f2ce4c288..c7ae125aae40f 100644
--- a/image/encoders/webp/nsWebPEncoder.cpp
+++ b/image/encoders/webp/nsWebPEncoder.cpp
@@ -103,12 +103,20 @@ nsWebPEncoder::InitFromData(const uint8_t* aData,
 
   size_t size = 0;
 
+  CheckedInt32 width = CheckedInt32(aWidth);
+  CheckedInt32 height = CheckedInt32(aHeight);
+  CheckedInt32 stride = CheckedInt32(aStride);
+  if (!width.isValid() || !height.isValid() || !stride.isValid() ||
+      !(CheckedUint32(aStride) * CheckedUint32(aHeight)).isValid()) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
   if (aInputFormat == INPUT_FORMAT_RGB) {
-    size =
-        WebPEncodeRGB(aData, aWidth, aHeight, aStride, quality, &mImageBuffer);
+    size = WebPEncodeRGB(aData, width.value(), height.value(), stride.value(),
+                         quality, &mImageBuffer);
   } else if (aInputFormat == INPUT_FORMAT_RGBA) {
-    size =
-        WebPEncodeRGBA(aData, aWidth, aHeight, aStride, quality, &mImageBuffer);
+    size = WebPEncodeRGBA(aData, width.value(), height.value(), stride.value(),
+                          quality, &mImageBuffer);
   } else if (aInputFormat == INPUT_FORMAT_HOSTARGB) {
     UniquePtr<uint8_t[]> aDest = MakeUnique<uint8_t[]>(aStride * aHeight);
 
@@ -135,8 +143,8 @@ nsWebPEncoder::InitFromData(const uint8_t* aData,
       }
     }
 
-    size = WebPEncodeRGBA(aDest.get(), aWidth, aHeight, aStride, quality,
-                          &mImageBuffer);
+    size = WebPEncodeRGBA(aDest.get(), width.value(), height.value(),
+                          stride.value(), quality, &mImageBuffer);
   }
 
   mFinished = true;

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the tor-commits mailing list