Check malloc allocation sizes are less than SIZE_MAX
Bug: b/371615496
Change-Id: I75a94b08469d6d6b6fd55a8659031cbcb3d48eed
Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/5912039
Reviewed-by: Wan-Teh Chang <wtc@google.com>
diff --git a/README.chromium b/README.chromium
index a2857ac..0fa68a0 100644
--- a/README.chromium
+++ b/README.chromium
@@ -1,6 +1,6 @@
Name: libyuv
URL: https://chromium.googlesource.com/libyuv/libyuv/
-Version: 1896
+Version: 1897
License: BSD
License File: LICENSE
Shipped: yes
diff --git a/include/libyuv/version.h b/include/libyuv/version.h
index e6d56f7..23d3ad6 100644
--- a/include/libyuv/version.h
+++ b/include/libyuv/version.h
@@ -11,6 +11,6 @@
#ifndef INCLUDE_LIBYUV_VERSION_H_
#define INCLUDE_LIBYUV_VERSION_H_
-#define LIBYUV_VERSION 1896
+#define LIBYUV_VERSION 1897
#endif // INCLUDE_LIBYUV_VERSION_H_
diff --git a/source/convert_to_argb.cc b/source/convert_to_argb.cc
index 84df16c..9524571 100644
--- a/source/convert_to_argb.cc
+++ b/source/convert_to_argb.cc
@@ -75,8 +75,11 @@
}
if (need_buf) {
- int argb_size = crop_width * 4 * abs_crop_height;
- rotate_buffer = (uint8_t*)malloc(argb_size); /* NOLINT */
+ const uint64_t rotate_buffer_size = (uint64_t)crop_width * 4 * abs_crop_height;
+ if (rotate_buffer_size > SIZE_MAX) {
+ return -1; // Invalid size.
+ }
+ rotate_buffer = (uint8_t*)malloc((size_t)rotate_buffer_size);
if (!rotate_buffer) {
return 1; // Out of memory runtime error.
}
diff --git a/source/convert_to_i420.cc b/source/convert_to_i420.cc
index 5869ecd..505f7dc 100644
--- a/source/convert_to_i420.cc
+++ b/source/convert_to_i420.cc
@@ -76,7 +76,11 @@
if (need_buf) {
int y_size = crop_width * abs_crop_height;
int uv_size = ((crop_width + 1) / 2) * ((abs_crop_height + 1) / 2);
- rotate_buffer = (uint8_t*)malloc(y_size + uv_size * 2); /* NOLINT */
+ const uint64_t rotate_buffer_size = (uint64_t)y_size + (uint64_t)uv_size * 2;
+ if (rotate_buffer_size > SIZE_MAX) {
+ return -1; // Invalid size.
+ }
+ rotate_buffer = (uint8_t*)malloc((size_t)rotate_buffer_size);
if (!rotate_buffer) {
return 1; // Out of memory runtime error.
}
diff --git a/source/scale_argb.cc b/source/scale_argb.cc
index 6709c9a..e32469a 100644
--- a/source/scale_argb.cc
+++ b/source/scale_argb.cc
@@ -1178,12 +1178,16 @@
int clip_height,
enum FilterMode filtering) {
int r;
- uint8_t* argb_buffer = (uint8_t*)malloc(src_width * src_height * 4);
+ (void)src_fourcc; // TODO(fbarchard): implement and/or assert.
+ (void)dst_fourcc;
+ const uint64_t argb_buffer_size = (uint64_t)src_width * src_height * 4;
+ if (argb_buffer_size > SIZE_MAX) {
+ return -1; // Invalid size.
+ }
+ uint8_t* argb_buffer = (uint8_t*)malloc((size_t)argb_buffer_size);
if (!argb_buffer) {
return 1; // Out of memory runtime error.
}
- (void)src_fourcc; // TODO(fbarchard): implement and/or assert.
- (void)dst_fourcc;
I420ToARGB(src_y, src_stride_y, src_u, src_stride_u, src_v, src_stride_v,
argb_buffer, src_width * 4, src_width, src_height);
diff --git a/source/scale_rgb.cc b/source/scale_rgb.cc
index 8db59b5..2ba7b79 100644
--- a/source/scale_rgb.cc
+++ b/source/scale_rgb.cc
@@ -38,13 +38,20 @@
int dst_height,
enum FilterMode filtering) {
int r;
- uint8_t* src_argb =
- (uint8_t*)malloc(src_width * src_height * 4 + dst_width * dst_height * 4);
- uint8_t* dst_argb = src_argb + src_width * src_height * 4;
-
- if (!src_argb) {
- return 1;
+ const uint64_t src_argb_size = (uint64_t)src_width * src_height * 4;
+ const uint64_t dst_argb_size = (uint64_t)dst_width * dst_height * 4;
+ if (src_argb_size > (UINT64_MAX - dst_argb_size)) {
+ return -1; // Invalid size.
}
+ const uint64_t argb_size = src_argb_size + dst_argb_size;
+ if (argb_size < src_argb_size || argb_size < dst_argb_size || argb_size > SIZE_MAX) {
+ return -1; // Invalid size.
+ }
+ uint8_t* src_argb = (uint8_t*)malloc((size_t)argb_size);
+ if (!src_argb) {
+ return 1; // Out of memory runtime error.
+ }
+ uint8_t* dst_argb = src_argb + (size_t)src_argb_size;
r = RGB24ToARGB(src_rgb, src_stride_rgb, src_argb, src_width * 4, src_width,
src_height);