From 0a68a93729ab879251ad63f833a327d20dbbbc23 Mon Sep 17 00:00:00 2001 From: Wan-Teh Chang Date: Fri, 12 Apr 2024 15:48:04 -0700 Subject: [PATCH 3/3] Fix a bug in alloc_size for high bit depths I introduced this bug in commit 2e32276: https://chromium-review.googlesource.com/c/webm/libvpx/+/5446333 I changed the line stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; to three lines: s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s; if (s > INT_MAX) goto fail; stride_in_bytes = (int)s; But I didn't realize that `s` is used later in the calculation of alloc_size. As a quick fix, undo the effect of s * 2 for high bit depths after `s` has been assigned to stride_in_bytes. Bug: chromium:332382766 Change-Id: I53fbf405555645ab1d7254d31aadabe4f426be8c (cherry picked from commit 74c70af01667733483dc69298b8921779f5f6ff3) --- vpx/src/vpx_image.c | 1 + 1 file changed, 1 insertion(+) diff --git a/vpx/src/vpx_image.c b/vpx/src/vpx_image.c index 0c84562ae..38d4c1ce3 100644 --- a/vpx/src/vpx_image.c +++ b/vpx/src/vpx_image.c @@ -97,6 +97,7 @@ static vpx_image_t *img_alloc_helper(vpx_image_t *img, vpx_img_fmt_t fmt, s = (s + stride_align - 1) & ~((uint64_t)stride_align - 1); if (s > INT_MAX) goto fail; stride_in_bytes = (int)s; + s = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s / 2 : s; /* Allocate the new image */ if (!img) { -- 2.45.2