From ccd415101d748628b6809354e95f974e640c06a3 Mon Sep 17 00:00:00 2001 From: Wan-Teh Chang Date: Fri, 5 Jun 2026 11:39:31 -0700 Subject: [PATCH] Fix int negation overflow in ConvertToARGB/I420 Fix int negation overflow in ConvertToARGB() and ConvertToI420(). Change-Id: Ia8e1f1a2994962a0372f4c31f6cc9c8972d8a954 Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7904588 Reviewed-by: James Zern Commit-Queue: Wan-Teh Chang --- source/convert_to_argb.cc | 13 +++++++------ source/convert_to_i420.cc | 27 +++++++++++++++------------ 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/source/convert_to_argb.cc b/source/convert_to_argb.cc index 4b465b276..a30a66a73 100644 --- a/source/convert_to_argb.cc +++ b/source/convert_to_argb.cc @@ -50,6 +50,13 @@ int ConvertToARGB(const uint8_t* sample, int crop_height, enum RotationMode rotation, uint32_t fourcc) { + if (dst_argb == NULL || sample == NULL || src_width <= 0 || + src_width > INT_MAX / 4 || crop_width <= 0 || crop_width > INT_MAX / 4 || + src_height == 0 || src_height == INT_MIN || crop_height == 0 || + crop_height == INT_MIN) { + return -1; + } + uint32_t format = CanonicalFourCC(fourcc); int aligned_src_width = (src_width + 1) & ~1; const uint8_t* src; @@ -70,12 +77,6 @@ int ConvertToARGB(const uint8_t* sample, uint8_t* rotate_buffer = NULL; int abs_crop_height = (crop_height < 0) ? -crop_height : crop_height; - if (dst_argb == NULL || sample == NULL || src_width <= 0 || - src_width > INT_MAX / 4 || crop_width <= 0 || crop_width > INT_MAX / 4 || - src_height == 0 || src_height == INT_MIN || crop_height == 0 || - crop_height == INT_MIN) { - return -1; - } if (src_height < 0) { inv_crop_height = -inv_crop_height; } diff --git a/source/convert_to_i420.cc b/source/convert_to_i420.cc index 8441928fb..baa4a9494 100644 --- a/source/convert_to_i420.cc +++ b/source/convert_to_i420.cc @@ -44,11 +44,24 @@ int ConvertToI420(const uint8_t* sample, int crop_height, enum RotationMode rotation, uint32_t fourcc) { + if (src_height == INT_MIN || crop_height == INT_MIN) { + return -1; + } + + const int abs_src_height = (src_height < 0) ? -src_height : src_height; + const int abs_crop_height = (crop_height < 0) ? -crop_height : crop_height; + + if (!dst_y || !dst_u || !dst_v || !sample || src_width <= 0 || + src_width > INT_MAX / 4 || crop_width <= 0 || src_height == 0 || + crop_height == 0 || crop_x < 0 || crop_y < 0 || crop_width > src_width || + crop_x > src_width - crop_width || abs_crop_height > abs_src_height || + crop_y > abs_src_height - abs_crop_height) { + return -1; + } + uint32_t format = CanonicalFourCC(fourcc); const uint8_t* src; const uint8_t* src_uv; - const int abs_src_height = (src_height < 0) ? -src_height : src_height; - const int abs_crop_height = (crop_height < 0) ? -crop_height : crop_height; int r = 0; LIBYUV_BOOL need_buf = (rotation && format != FOURCC_I420 && format != FOURCC_NV12 && @@ -63,16 +76,6 @@ int ConvertToI420(const uint8_t* sample, uint8_t* rotate_buffer = NULL; const int inv_crop_height = (src_height < 0) ? -abs_crop_height : abs_crop_height; - - if (!dst_y || !dst_u || !dst_v || !sample || src_width <= 0 || - src_width > INT_MAX / 4 || crop_width <= 0 || src_height == 0 || - src_height == INT_MIN || crop_height == 0 || crop_height == INT_MIN || - crop_x < 0 || crop_y < 0 || crop_width > src_width || - crop_x > src_width - crop_width || abs_crop_height > abs_src_height || - crop_y > abs_src_height - abs_crop_height) { - return -1; - } - int aligned_src_width = (src_width + 1) & ~1; // One pass rotation is available for some formats. For the rest, convert