commit 1d7a708a227454a5a53cf1f036d6e6df368f2006
author Wan-Teh Chang <wtc@google.com> Tue Jun 01 14:40:27 2021 -0700
committer Joe Drago <joedrago@gmail.com> Wed Jun 02 11:07:23 2021 -0700
tree fbaa5a3830827417fe13a845853ee8241de9eedf
parent 9613e218c700a5d614b9055adf66f3c9a08abab5

Check for int32_t cast and unsigned add overflows

Also remove extraneous parentheses.

src/avif.c

diff --git a/src/avif.c b/src/avif.c
index bd785ab..e054330 100644
--- a/src/avif.c
+++ b/src/avif.c
@@ -440,7 +440,7 @@
 {
     clapFractionSimplify(a);
     clapFractionSimplify(b);
-    if ((a->d != b->d)) {
+    if (a->d != b->d) {
         const int32_t ad = a->d;
         const int32_t bd = b->d;
         a->n *= bd;
@@ -492,7 +492,8 @@
         avifDiagnosticsPrintf(diag, "[Strict] crop rect width and height must be nonzero");
         return AVIF_FALSE;
     }
-    if (((cropRect->x + cropRect->width) > imageW) || ((cropRect->y + cropRect->height) > imageH)) {
+    if ((cropRect->x > (UINT32_MAX - cropRect->width)) || ((cropRect->x + cropRect->width) > imageW) ||
+        (cropRect->y > (UINT32_MAX - cropRect->height)) || ((cropRect->y + cropRect->height) > imageH)) {
         avifDiagnosticsPrintf(diag, "[Strict] crop rect is out of the image's bounds");
         return AVIF_FALSE;
     }
@@ -550,6 +551,10 @@
         return AVIF_FALSE;
     }
 
+    if ((imageW > INT32_MAX) || (imageH > INT32_MAX)) {
+        avifDiagnosticsPrintf(diag, "[Strict] image width %u or height %u is greater than INT32_MAX", imageW, imageH);
+        return AVIF_FALSE;
+    }
     clapFraction uncroppedCenterX = calcCenter((int32_t)imageW);
     clapFraction uncroppedCenterY = calcCenter((int32_t)imageH);