From 957f295ea946cbbd13fcfc46e7066f2efa801233 Mon Sep 17 00:00:00 2001 From: Frank Barchard Date: Fri, 29 May 2026 19:42:33 -0700 Subject: [PATCH] [libyuv] Fix potential UV coalescing overflow in NV12ToI420 Adds a safety check to prevent signed integer overflow in the UV plane coalescing logic within NV12ToI420. This ensures that halfwidth * halfheight does not overflow INT_MAX, matching the Y plane coalescing check and preventing potential undefined behavior (signed integer overflow) which could lead to negative widths being passed to SIMD functions. Test: libyuv_unittest --gtest_filter=*NV12Crop* Bug: None CONV=6401df25-4d5d-4595-a231-f72c2c8e78df TAG=agy R=wtc@google.com Change-Id: I15a51609a1e000a82f4b6958b4ada444efb1f2f4 Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7886824 Commit-Queue: Wan-Teh Chang Reviewed-by: Wan-Teh Chang --- source/convert.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/convert.cc b/source/convert.cc index 06e721113..05820772a 100644 --- a/source/convert.cc +++ b/source/convert.cc @@ -1448,7 +1448,8 @@ int NV12ToI420(const uint8_t* src_y, } // Coalesce rows. if (src_stride_uv == halfwidth * 2 && dst_stride_u == halfwidth && - dst_stride_v == halfwidth) { + dst_stride_v == halfwidth && + (ptrdiff_t)halfwidth * halfheight <= INT_MAX) { halfwidth *= halfheight; halfheight = 1; src_stride_uv = dst_stride_u = dst_stride_v = 0;