Fix integer overflow in two convert functions

Fix integer overflow in buffer allocation size calculations in the align_buffer_64() macro and the I422ToNV21() and Android420ToARGBMatrix() functions. Based on a CL autogenerated by MendIt (go/androidmendit): https://googleplex-android-review.googlesource.com/c/platform/external/libyuv/+/39981732 Bug: 511821134 Change-Id: Ie1728c3ad337d460d9b85979489a817cc97e3bf3 Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7886817 Reviewed-by: Frank Barchard <fbarchard@google.com> Commit-Queue: Wan-Teh Chang <wtc@google.com>
2026-06-15 00:16:08 +08:00 · 2026-05-29 15:58:39 -07:00 · 2026-05-29 15:58:39 -07:00 · d2c6dd5e6a
commit d2c6dd5e6a
parent b7389e99be
5 changed files with 15 additions and 6 deletions
--- a/README.chromium
+++ b/README.chromium
@ -1,6 +1,6 @@
 Name: libyuv
 URL: https://chromium.googlesource.com/libyuv/libyuv/
-Version: 1943
+Version: 1944
 Revision: DEPS
 License: BSD-3-Clause
 License File: LICENSE
--- a/include/libyuv/row.h
+++ b/include/libyuv/row.h
@ -1025,7 +1025,10 @@ struct ArgbConstants {
 #define IS_ALIGNED(p, a) (!((uintptr_t)(p) & ((a)-1)))

 #define align_buffer_64(var, size)                                         \
-  void* var##_mem = malloc((size) + 63);                      /* NOLINT */ \
+  size_t var##_mem_size = (size); /* NOLINT */                             \
+  void* var##_mem = (var##_mem_size > SIZE_MAX - 63)                       \
+                        ? NULL                                             \
+                        : malloc(var##_mem_size + 63);        /* NOLINT */ \
  uint8_t* var = (uint8_t*)(((intptr_t)var##_mem + 63) & ~63) /* NOLINT */

 #define free_aligned_buffer_64(var) \
--- a/include/libyuv/version.h
+++ b/include/libyuv/version.h
@ -11,6 +11,6 @@
 #ifndef INCLUDE_LIBYUV_VERSION_H_
 #define INCLUDE_LIBYUV_VERSION_H_

-#define LIBYUV_VERSION 1943
+#define LIBYUV_VERSION 1944

 #endif  // INCLUDE_LIBYUV_VERSION_H_
--- a/source/convert.cc
+++ b/source/convert.cc
@ -941,10 +941,13 @@ int I422ToNV21(const uint8_t* src_y,
  }

  // Allocate u and v buffers
-  align_buffer_64(plane_u, halfwidth * halfheight * 2);
-  uint8_t* plane_v = plane_u + halfwidth * halfheight;
+  const uint64_t plane_size = (uint64_t)halfwidth * halfheight;
+  if (plane_size > SIZE_MAX / 2)
+    return 1;
+  align_buffer_64(plane_u, (size_t)plane_size * 2);
  if (!plane_u)
    return 1;
+  uint8_t* plane_v = plane_u + (size_t)plane_size;

  I422ToI420(src_y, src_stride_y, src_u, src_stride_u, src_v, src_stride_v,
             dst_y, dst_stride_y, plane_u, halfwidth, plane_v, halfwidth, width,
--- a/source/convert_argb.cc
+++ b/source/convert_argb.cc
@ -5080,7 +5080,10 @@ int Android420ToARGBMatrix(const uint8_t* src_y,
  }

  // General case fallback creates NV12
-  align_buffer_64(plane_uv, halfwidth * 2 * halfheight);
+  const uint64_t uv_size = (uint64_t)halfwidth * 2 * halfheight;
+  if (uv_size > SIZE_MAX)
+    return 1;
+  align_buffer_64(plane_uv, (size_t)uv_size);
  if (!plane_uv)
    return 1;
  dst_uv = plane_uv;