Check for addition overflows in aom_img_set_rect()
Check for x + w and y + h overflows in aom_img_set_rect().
Move the declaration of the local variable 'data' to the block it is
used in.
Change-Id: I6bda875e1853c03135ec6ce29015bcc78bb8b7ba
diff --git a/aom/src/aom_image.c b/aom/src/aom_image.c
index 13f71b2..3c28263 100644
--- a/aom/src/aom_image.c
+++ b/aom/src/aom_image.c
@@ -9,6 +9,7 @@
* PATENTS file, you can obtain it at www.aomedia.org/license/patent.
*/
+#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -200,9 +201,8 @@
int aom_img_set_rect(aom_image_t *img, unsigned int x, unsigned int y,
unsigned int w, unsigned int h, unsigned int border) {
- unsigned char *data;
-
- if (x + w <= img->w && y + h <= img->h) {
+ if (x <= UINT_MAX - w && x + w <= img->w && y <= UINT_MAX - h &&
+ y + h <= img->h) {
img->d_w = w;
img->d_h = h;
@@ -216,7 +216,7 @@
} else {
const int bytes_per_sample =
(img->fmt & AOM_IMG_FMT_HIGHBITDEPTH) ? 2 : 1;
- data = img->img_data;
+ unsigned char *data = img->img_data;
img->planes[AOM_PLANE_Y] =
data + x * bytes_per_sample + y * img->stride[AOM_PLANE_Y];
diff --git a/test/aom_image_test.cc b/test/aom_image_test.cc
index 7ff82d7..7ff6f61 100644
--- a/test/aom_image_test.cc
+++ b/test/aom_image_test.cc
@@ -29,3 +29,18 @@
unsigned int align = 31;
EXPECT_EQ(aom_img_wrap(&img, format, kWidth, kHeight, align, buf), nullptr);
}
+
+TEST(AomImageTest, AomImgSetRectOverflow) {
+ const int kWidth = 128;
+ const int kHeight = 128;
+ unsigned char buf[kWidth * kHeight * 3];
+
+ aom_image_t img;
+ aom_img_fmt_t format = AOM_IMG_FMT_I444;
+ unsigned int align = 32;
+ EXPECT_EQ(aom_img_wrap(&img, format, kWidth, kHeight, align, buf), &img);
+
+ EXPECT_EQ(aom_img_set_rect(&img, 0, 0, kWidth, kHeight, 0), 0);
+ // This would result in overflow because -1 is cast to UINT_MAX.
+ EXPECT_NE(aom_img_set_rect(&img, -1, -1, kWidth, kHeight, 0), 0);
+}
