diff --git a/README.chromium b/README.chromium index a2857ac62..0fa68a010 100644 --- a/README.chromium +++ b/README.chromium @@ -1,6 +1,6 @@ Name: libyuv URL: https://chromium.googlesource.com/libyuv/libyuv/ -Version: 1896 +Version: 1897 License: BSD License File: LICENSE Shipped: yes diff --git a/include/libyuv/version.h b/include/libyuv/version.h index e6d56f73c..23d3ad67a 100644 --- a/include/libyuv/version.h +++ b/include/libyuv/version.h @@ -11,6 +11,6 @@ #ifndef INCLUDE_LIBYUV_VERSION_H_ #define INCLUDE_LIBYUV_VERSION_H_ -#define LIBYUV_VERSION 1896 +#define LIBYUV_VERSION 1897 #endif // INCLUDE_LIBYUV_VERSION_H_ diff --git a/source/convert_to_argb.cc b/source/convert_to_argb.cc index 84df16c8c..952457163 100644 --- a/source/convert_to_argb.cc +++ b/source/convert_to_argb.cc @@ -75,8 +75,11 @@ int ConvertToARGB(const uint8_t* sample, } if (need_buf) { - int argb_size = crop_width * 4 * abs_crop_height; - rotate_buffer = (uint8_t*)malloc(argb_size); /* NOLINT */ + const uint64_t rotate_buffer_size = (uint64_t)crop_width * 4 * abs_crop_height; + if (rotate_buffer_size > SIZE_MAX) { + return -1; // Invalid size. + } + rotate_buffer = (uint8_t*)malloc((size_t)rotate_buffer_size); if (!rotate_buffer) { return 1; // Out of memory runtime error. } diff --git a/source/convert_to_i420.cc b/source/convert_to_i420.cc index 5869ecd7b..505f7dcd2 100644 --- a/source/convert_to_i420.cc +++ b/source/convert_to_i420.cc @@ -76,7 +76,11 @@ int ConvertToI420(const uint8_t* sample, if (need_buf) { int y_size = crop_width * abs_crop_height; int uv_size = ((crop_width + 1) / 2) * ((abs_crop_height + 1) / 2); - rotate_buffer = (uint8_t*)malloc(y_size + uv_size * 2); /* NOLINT */ + const uint64_t rotate_buffer_size = (uint64_t)y_size + (uint64_t)uv_size * 2; + if (rotate_buffer_size > SIZE_MAX) { + return -1; // Invalid size. + } + rotate_buffer = (uint8_t*)malloc((size_t)rotate_buffer_size); if (!rotate_buffer) { return 1; // Out of memory runtime error. } diff --git a/source/scale_argb.cc b/source/scale_argb.cc index 6709c9a7c..e32469a44 100644 --- a/source/scale_argb.cc +++ b/source/scale_argb.cc @@ -1178,12 +1178,16 @@ int YUVToARGBScaleClip(const uint8_t* src_y, int clip_height, enum FilterMode filtering) { int r; - uint8_t* argb_buffer = (uint8_t*)malloc(src_width * src_height * 4); + (void)src_fourcc; // TODO(fbarchard): implement and/or assert. + (void)dst_fourcc; + const uint64_t argb_buffer_size = (uint64_t)src_width * src_height * 4; + if (argb_buffer_size > SIZE_MAX) { + return -1; // Invalid size. + } + uint8_t* argb_buffer = (uint8_t*)malloc((size_t)argb_buffer_size); if (!argb_buffer) { return 1; // Out of memory runtime error. } - (void)src_fourcc; // TODO(fbarchard): implement and/or assert. - (void)dst_fourcc; I420ToARGB(src_y, src_stride_y, src_u, src_stride_u, src_v, src_stride_v, argb_buffer, src_width * 4, src_width, src_height); diff --git a/source/scale_rgb.cc b/source/scale_rgb.cc index 8db59b56f..2ba7b7917 100644 --- a/source/scale_rgb.cc +++ b/source/scale_rgb.cc @@ -38,13 +38,20 @@ int RGBScale(const uint8_t* src_rgb, int dst_height, enum FilterMode filtering) { int r; - uint8_t* src_argb = - (uint8_t*)malloc(src_width * src_height * 4 + dst_width * dst_height * 4); - uint8_t* dst_argb = src_argb + src_width * src_height * 4; - - if (!src_argb) { - return 1; + const uint64_t src_argb_size = (uint64_t)src_width * src_height * 4; + const uint64_t dst_argb_size = (uint64_t)dst_width * dst_height * 4; + if (src_argb_size > (UINT64_MAX - dst_argb_size)) { + return -1; // Invalid size. } + const uint64_t argb_size = src_argb_size + dst_argb_size; + if (argb_size < src_argb_size || argb_size < dst_argb_size || argb_size > SIZE_MAX) { + return -1; // Invalid size. + } + uint8_t* src_argb = (uint8_t*)malloc((size_t)argb_size); + if (!src_argb) { + return 1; // Out of memory runtime error. + } + uint8_t* dst_argb = src_argb + (size_t)src_argb_size; r = RGB24ToARGB(src_rgb, src_stride_rgb, src_argb, src_width * 4, src_width, src_height);