Check malloc allocation sizes are less than SIZE_MAX

Bug: b/371615496
Change-Id: I75a94b08469d6d6b6fd55a8659031cbcb3d48eed
Reviewed-on: https://chromium-review.googlesource.com/c/libyuv/libyuv/+/5912039
Reviewed-by: Wan-Teh Chang <wtc@google.com>

README.chromium

@@ -1,6 +1,6 @@
 Name: libyuv
 URL: https://chromium.googlesource.com/libyuv/libyuv/
-Version: 1896
+Version: 1897
 License: BSD
 License File: LICENSE
 Shipped: yes

include/libyuv/version.h

@@ -11,6 +11,6 @@
 #ifndef INCLUDE_LIBYUV_VERSION_H_
 #define INCLUDE_LIBYUV_VERSION_H_
 
-#define LIBYUV_VERSION 1896
+#define LIBYUV_VERSION 1897
 
 #endif  // INCLUDE_LIBYUV_VERSION_H_

source/convert_to_argb.cc

@@ -75,8 +75,11 @@ int ConvertToARGB(const uint8_t* sample,
   }
 
   if (need_buf) {
-    int argb_size = crop_width * 4 * abs_crop_height;
+    const uint64_t rotate_buffer_size = (uint64_t)crop_width * 4 * abs_crop_height;
-    rotate_buffer = (uint8_t*)malloc(argb_size); /* NOLINT */
+    if (rotate_buffer_size > SIZE_MAX) {
+      return -1;  // Invalid size.
+    }
+    rotate_buffer = (uint8_t*)malloc((size_t)rotate_buffer_size);
     if (!rotate_buffer) {
       return 1;  // Out of memory runtime error.
     }

source/convert_to_i420.cc

@@ -76,7 +76,11 @@ int ConvertToI420(const uint8_t* sample,
   if (need_buf) {
     int y_size = crop_width * abs_crop_height;
     int uv_size = ((crop_width + 1) / 2) * ((abs_crop_height + 1) / 2);
-    rotate_buffer = (uint8_t*)malloc(y_size + uv_size * 2); /* NOLINT */
+    const uint64_t rotate_buffer_size = (uint64_t)y_size + (uint64_t)uv_size * 2;
+    if (rotate_buffer_size > SIZE_MAX) {
+      return -1;  // Invalid size.
+    }
+    rotate_buffer = (uint8_t*)malloc((size_t)rotate_buffer_size);
     if (!rotate_buffer) {
       return 1;  // Out of memory runtime error.
     }

source/scale_argb.cc

@@ -1178,12 +1178,16 @@ int YUVToARGBScaleClip(const uint8_t* src_y,
                        int clip_height,
                        enum FilterMode filtering) {
   int r;
-  uint8_t* argb_buffer = (uint8_t*)malloc(src_width * src_height * 4);
+  (void)src_fourcc;  // TODO(fbarchard): implement and/or assert.
+  (void)dst_fourcc;
+  const uint64_t argb_buffer_size = (uint64_t)src_width * src_height * 4;
+  if (argb_buffer_size > SIZE_MAX) {
+    return -1;  // Invalid size.
+  }
+  uint8_t* argb_buffer = (uint8_t*)malloc((size_t)argb_buffer_size);
   if (!argb_buffer) {
     return 1;  // Out of memory runtime error.
   }
-  (void)src_fourcc;  // TODO(fbarchard): implement and/or assert.
-  (void)dst_fourcc;
   I420ToARGB(src_y, src_stride_y, src_u, src_stride_u, src_v, src_stride_v,
              argb_buffer, src_width * 4, src_width, src_height);
 

source/scale_rgb.cc

@@ -38,13 +38,20 @@ int RGBScale(const uint8_t* src_rgb,
              int dst_height,
              enum FilterMode filtering) {
   int r;
-  uint8_t* src_argb =
+  const uint64_t src_argb_size = (uint64_t)src_width * src_height * 4;
-      (uint8_t*)malloc(src_width * src_height * 4 + dst_width * dst_height * 4);
+  const uint64_t dst_argb_size = (uint64_t)dst_width * dst_height * 4;
-  uint8_t* dst_argb = src_argb + src_width * src_height * 4;
+  if (src_argb_size > (UINT64_MAX - dst_argb_size)) {
-
+    return -1;  // Invalid size.
-  if (!src_argb) {
-    return 1;
   }
+  const uint64_t argb_size = src_argb_size + dst_argb_size;
+  if (argb_size < src_argb_size || argb_size < dst_argb_size || argb_size > SIZE_MAX) {
+    return -1;  // Invalid size.
+  }
+  uint8_t* src_argb = (uint8_t*)malloc((size_t)argb_size);
+  if (!src_argb) {
+    return 1;  // Out of memory runtime error.
+  }
+  uint8_t* dst_argb = src_argb + (size_t)src_argb_size;
 
   r = RGB24ToARGB(src_rgb, src_stride_rgb, src_argb, src_width * 4, src_width,
                   src_height);