Google Git
Sign in
aomedia/libavif/3ca142411dcaa1d40c92b5de4317fc5a983bd424^!/./src/read.c
commit
3ca142411dcaa1d40c92b5de4317fc5a983bd424
[log]
author
Wan-Teh Chang <wtc@google.com>
Wed Sep 30 16:39:38 2020 -0700
committer
Joe Drago <joedrago@gmail.com>
Thu Oct 01 11:50:25 2020 -0700
tree
19c9d4464c10e17b6383e597ff7a9c03e8ea6026
parent
877067a874d8e81dbf651934673268ad8c06a298 [diff] [blame]
avifCodecDecodeInputGetSamples: check for overflow

Check if the addition sampleOffset + sampleSize would overflow in
avifCodecDecodeInputGetSamples().

diff --git a/src/read.c b/src/read.c
index e1bde74..d877e13 100644
--- a/src/read.c
+++ b/src/read.c

@@ -366,6 +366,9 @@
             sample->size = sampleSize;
             sample->sync = AVIF_FALSE; // to potentially be set to true following the outer loop
 
+            if (sampleSize > UINT64_MAX - sampleOffset) {
+                return AVIF_FALSE;
+            }
             if (sizeHint && ((sampleOffset + sampleSize) > (uint64_t)sizeHint)) {
                 return AVIF_FALSE;
             }