From d2c6dd5e6a2fbc99b3e41acdc9c54b9e5faa434e Mon Sep 17 00:00:00 2001 From: Wan-Teh Chang Date: Fri, 29 May 2026 15:58:39 -0700 Subject: [PATCH] Fix integer overflow in two convert functions Fix integer overflow in buffer allocation size calculations in the align_buffer_64() macro and the I422ToNV21() and Android420ToARGBMatrix() functions. Based on a CL autogenerated by MendIt (go/androidmendit): https://googleplex-android-review.googlesource.com/c/platform/external/libyuv/+/39981732 Bug: 511821134 Change-Id: Ie1728c3ad337d460d9b85979489a817cc97e3bf3 Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/7886817 Reviewed-by: Frank Barchard Commit-Queue: Wan-Teh Chang --- README.chromium | 2 +- include/libyuv/row.h | 5 ++++- include/libyuv/version.h | 2 +- source/convert.cc | 7 +++++-- source/convert_argb.cc | 5 ++++- 5 files changed, 15 insertions(+), 6 deletions(-) diff --git a/README.chromium b/README.chromium index ae8e037eb..09be1dd7a 100644 --- a/README.chromium +++ b/README.chromium @@ -1,6 +1,6 @@ Name: libyuv URL: https://chromium.googlesource.com/libyuv/libyuv/ -Version: 1943 +Version: 1944 Revision: DEPS License: BSD-3-Clause License File: LICENSE diff --git a/include/libyuv/row.h b/include/libyuv/row.h index ede80b13a..5263ad31a 100644 --- a/include/libyuv/row.h +++ b/include/libyuv/row.h @@ -1025,7 +1025,10 @@ struct ArgbConstants { #define IS_ALIGNED(p, a) (!((uintptr_t)(p) & ((a)-1))) #define align_buffer_64(var, size) \ - void* var##_mem = malloc((size) + 63); /* NOLINT */ \ + size_t var##_mem_size = (size); /* NOLINT */ \ + void* var##_mem = (var##_mem_size > SIZE_MAX - 63) \ + ? NULL \ + : malloc(var##_mem_size + 63); /* NOLINT */ \ uint8_t* var = (uint8_t*)(((intptr_t)var##_mem + 63) & ~63) /* NOLINT */ #define free_aligned_buffer_64(var) \ diff --git a/include/libyuv/version.h b/include/libyuv/version.h index d739e7ea6..9e0f23c68 100644 --- a/include/libyuv/version.h +++ b/include/libyuv/version.h @@ -11,6 +11,6 @@ #ifndef INCLUDE_LIBYUV_VERSION_H_ #define INCLUDE_LIBYUV_VERSION_H_ -#define LIBYUV_VERSION 1943 +#define LIBYUV_VERSION 1944 #endif // INCLUDE_LIBYUV_VERSION_H_ diff --git a/source/convert.cc b/source/convert.cc index 4f5cca500..06e721113 100644 --- a/source/convert.cc +++ b/source/convert.cc @@ -941,10 +941,13 @@ int I422ToNV21(const uint8_t* src_y, } // Allocate u and v buffers - align_buffer_64(plane_u, halfwidth * halfheight * 2); - uint8_t* plane_v = plane_u + halfwidth * halfheight; + const uint64_t plane_size = (uint64_t)halfwidth * halfheight; + if (plane_size > SIZE_MAX / 2) + return 1; + align_buffer_64(plane_u, (size_t)plane_size * 2); if (!plane_u) return 1; + uint8_t* plane_v = plane_u + (size_t)plane_size; I422ToI420(src_y, src_stride_y, src_u, src_stride_u, src_v, src_stride_v, dst_y, dst_stride_y, plane_u, halfwidth, plane_v, halfwidth, width, diff --git a/source/convert_argb.cc b/source/convert_argb.cc index 1d73d1e43..f7d9e9194 100644 --- a/source/convert_argb.cc +++ b/source/convert_argb.cc @@ -5080,7 +5080,10 @@ int Android420ToARGBMatrix(const uint8_t* src_y, } // General case fallback creates NV12 - align_buffer_64(plane_uv, halfwidth * 2 * halfheight); + const uint64_t uv_size = (uint64_t)halfwidth * 2 * halfheight; + if (uv_size > SIZE_MAX) + return 1; + align_buffer_64(plane_uv, (size_t)uv_size); if (!plane_uv) return 1; dst_uv = plane_uv;