Google Git
Sign in
aomedia/libavif/04fe10b4293cdec9dc4f73266c666c3cd186d8ea^!/.
commit
04fe10b4293cdec9dc4f73266c666c3cd186d8ea
[log]
author
Wan-Teh Chang <wtc@google.com>
Fri Mar 28 13:46:09 2025 -0700
committer
Wan-Teh Chang <wtc@google.com>
Fri Mar 28 14:01:14 2025 -0700
tree
c6f554387826d7670334f13b80b8b461707c36f2
parent
5572e9c915ee6f02da36379a9e34ab8649740742 [diff]
avifjpeg.c: check for uint32_t overflow before add

Bug: b:406974988

diff --git a/apps/shared/avifjpeg.c b/apps/shared/avifjpeg.c
index 9bcc8c9..3cc6925 100644
--- a/apps/shared/avifjpeg.c
+++ b/apps/shared/avifjpeg.c

@@ -310,7 +310,7 @@
 // Reads 'numBytes' at 'offset', stores them in 'bytes' and increases 'offset'.
 static avifBool avifJPEGReadBytes(const avifROData * data, uint8_t * bytes, uint32_t * offset, uint32_t numBytes)
 {
-    if (data->size < (*offset + numBytes)) {
+    if ((UINT32_MAX - *offset) < numBytes || data->size < (*offset + numBytes)) {
         return AVIF_FALSE;
     }
     memcpy(bytes, &data->data[*offset], numBytes);