Google Git
Sign in
aomedia/libavif/030cace8c5baf2e9a39eff9f6ea99fefc15e5690^!/.
commit
030cace8c5baf2e9a39eff9f6ea99fefc15e5690
[log]
author
Wan-Teh Chang <wtc@google.com>
Tue Feb 06 14:12:29 2024 -0800
committer
Wan-Teh Chang <wtc@google.com>
Wed Feb 07 12:31:58 2024 -0800
tree
97377e604cfcad15060d4d919522e641b5d1958b
parent
4ae05d6dcc6b1ac0b53c01f13f19811209247b3c [diff]
Better ID choice for new item.

This is a manual cherry-pick of commit 59f1c9a.

This fixes the case where the maximum ID is UINT32_MAX.

BUG=oss-fuzz:65657

diff --git a/src/read.c b/src/read.c
index c879024..9a60869 100644
--- a/src/read.c
+++ b/src/read.c

@@ -3665,12 +3665,8 @@
     uint32_t * alphaItemIndices = avifAlloc(colorItemCount * sizeof(uint32_t));
     AVIF_CHECKERR(alphaItemIndices, AVIF_RESULT_OUT_OF_MEMORY);
     uint32_t alphaItemCount = 0;
-    uint32_t maxItemID = 0;
     for (uint32_t i = 0; i < colorItem->meta->items.count; ++i) {
-        avifDecoderItem * item = colorItem->meta->items.item[i];
-        if (item->id > maxItemID) {
-            maxItemID = item->id;
-        }
+        const avifDecoderItem * const item = colorItem->meta->items.item[i];
         if (item->dimgForID == colorItem->id) {
             avifBool seenAlphaForCurrentItem = AVIF_FALSE;
             for (uint32_t j = 0; j < colorItem->meta->items.count; ++j) {
@@ -3699,11 +3695,31 @@
         }
     }
     assert(alphaItemCount == colorItemCount);
-    *alphaItem = avifMetaFindItem(colorItem->meta, maxItemID + 1);
-    if (*alphaItem == NULL) {
+    // Find an unused ID.
+    avifResult result;
+    if (colorItem->meta->items.count >= UINT32_MAX - 1) {
+        // In the improbable case where all IDs are used.
+        result = AVIF_RESULT_DECODE_ALPHA_FAILED;
+    } else {
+        uint32_t newItemID = 0;
+        avifBool isUsed;
+        do {
+            ++newItemID;
+            isUsed = AVIF_FALSE;
+            for (uint32_t i = 0; i < colorItem->meta->items.count; ++i) {
+                if (colorItem->meta->items.item[i]->id == newItemID) {
+                    isUsed = AVIF_TRUE;
+                    break;
+                }
+            }
+        } while (isUsed && newItemID != 0);
+        *alphaItem = avifMetaFindItem(colorItem->meta, newItemID); // Create new empty item.
+        result = (*alphaItem == NULL) ? AVIF_RESULT_OUT_OF_MEMORY : AVIF_RESULT_OK;
+    }
+    if (result != AVIF_RESULT_OK) {
         avifFree(alphaItemIndices);
         *isAlphaItemInInput = AVIF_FALSE;
-        return AVIF_RESULT_OUT_OF_MEMORY;
+        return result;
     }
     memcpy((*alphaItem)->type, "grid", 4);
     (*alphaItem)->width = colorItem->width;