From: Wan-Teh Chang <wtc@google.com>
Date: Thu, 8 Jul 2021 22:17:48 +0000 (-0700)
Subject: Check for addition overflows in vpx_img_set_rect()
X-Git-Tag: v1.11.0-rc1~15
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=69fc604636f740a57482f3898c2527d29663ee6d;p=platform%2Fupstream%2Flibvpx.git

Check for addition overflows in vpx_img_set_rect()

Check for x + w and y + h overflows in vpx_img_set_rect().

Move the declaration of the local variable 'data' to the block it is
used in.

Change-Id: I6bda875e1853c03135ec6ce29015bcc78bb8b7ba
---

diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c
index 2a7afc0..f9f0dd6 100644
--- a/vpx/src/vpx_image.c
+++ b/vpx/src/vpx_image.c
@@ -8,6 +8,7 @@
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
+#include <limits.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -152,9 +153,8 @@ vpx_image_t *vpx_img_wrap(vpx_image_t *img, vpx_img_fmt_t fmt, unsigned int d_w,
 
 int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y,
                      unsigned int w, unsigned int h) {
-  unsigned char *data;
-
-  if (x + w <= img->w && y + h <= img->h) {
+  if (x <= UINT_MAX - w && x + w <= img->w && y <= UINT_MAX - h &&
+      y + h <= img->h) {
     img->d_w = w;
     img->d_h = h;
 
@@ -165,7 +165,7 @@ int vpx_img_set_rect(vpx_image_t *img, unsigned int x, unsigned int y,
     } else {
       const int bytes_per_sample =
           (img->fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? 2 : 1;
-      data = img->img_data;
+      unsigned char *data = img->img_data;
 
       if (img->fmt & VPX_IMG_FMT_HAS_ALPHA) {
         img->planes[VPX_PLANE_ALPHA] =