1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From: Wan-Teh Chang <wtc@google.com>
Subject: Avoid integer overflow in (32-bit) int or unsigned int arithmetic
operations
Origin: https://github.com/AOMediaCodec/libavif/pull/2769#issuecomment-2907860473
Bug: https://github.com/AOMediaCodec/libavif/pull/2769
Bug-Debian: https://bugs.debian.org/1105883
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-48175
The idea of this patch is to assume the existence of integer overflow in
the code in avifImageRGBToYUV() and only enter the function when the
image width and height are not too big. We have a similar protection in
avifDecoder. Since avifImageRGBToYUV() is typically used to prepare the
input to avifEncoder, I didn't add this protection to
avifImageRGBToYUV().
2ded15b09 has some context for the image size (area) and dimension
limits. For this avifImageRGBToYUV() issue, the image size (area) limit
is sufficient. The image dimension limit is intended to avoid spending a
very long time decoding an image.
Link: https://github.com/AOMediaCodec/libavif/pull/2769#issuecomment-2907860473
---
src/reformat.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/reformat.c b/src/reformat.c
index 951c46b56ffb..9f760396da5a 100644
--- a/src/reformat.c
+++ b/src/reformat.c
@@ -196,6 +196,11 @@ static int avifReformatStateUVToUNorm(avifReformatState * state, float v)
avifResult avifImageRGBToYUV(avifImage * image, const avifRGBImage * rgb)
{
+ // Avoid integer overflow in (32-bit) int or unsigned int arithmetic operations.
+ if ((uint64_t)rgb->width * rgb->height > AVIF_DEFAULT_IMAGE_SIZE_LIMIT) {
+ return AVIF_RESULT_REFORMAT_FAILED;
+ }
+
if (!rgb->pixels || rgb->format == AVIF_RGB_FORMAT_RGB_565) {
return AVIF_RESULT_REFORMAT_FAILED;
}
--
2.49.0
|
