File libwebp-CVE-2020-36328.patch of Package libwebp.30679

Overview Repositories Revisions Requests Users Attributes Meta

File libwebp-CVE-2020-36328.patch of Package libwebp.30679

From 71ed73cf86132394ea25ae9c7ed431e0d71043f5 Mon Sep 17 00:00:00 2001
From: Pascal Massimino <pascal.massimino@gmail.com>
Date: Fri, 25 May 2018 13:25:39 +0200
Subject: [PATCH] fix invalid check for buffer size

BUG=webp:383

Change-Id: I8ebbb5ca4860d73c3b59b12e238b54a89184bed0

Backported by Mike Gorse <mgorse@suse.com>
---
 src/dec/buffer.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/dec/buffer.c b/src/dec/buffer.c
index 75eb3c40..3cd94eb4 100644
--- a/src/dec/buffer.c
+++ b/src/dec/buffer.c
@@ -74,7 +74,8 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
   } else {    // RGB checks
     const WebPRGBABuffer* const buf = &buffer->u.RGBA;
     const int stride = abs(buf->stride);
-    const uint64_t size = MIN_BUFFER_SIZE(width, height, stride);
+    const uint64_t size =
+        MIN_BUFFER_SIZE(width * kModeBpp[mode], height, stride);
     ok &= (size <= buf->size);
     ok &= (stride >= width * kModeBpp[mode]);
     ok &= (buf->rgba != NULL);
-- 
2.31.1

Places

File libwebp-CVE-2020-36328.patch of Package libwebp.30679

Places