File libwebp-CVE-2020-36328.patch of Package libwebp.30679
From 71ed73cf86132394ea25ae9c7ed431e0d71043f5 Mon Sep 17 00:00:00 2001
From: Pascal Massimino <pascal.massimino@gmail.com>
Date: Fri, 25 May 2018 13:25:39 +0200
Subject: [PATCH] fix invalid check for buffer size
BUG=webp:383
Change-Id: I8ebbb5ca4860d73c3b59b12e238b54a89184bed0
Backported by Mike Gorse <mgorse@suse.com>
---
src/dec/buffer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/dec/buffer.c b/src/dec/buffer.c
index 75eb3c40..3cd94eb4 100644
--- a/src/dec/buffer.c
+++ b/src/dec/buffer.c
@@ -74,7 +74,8 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
} else { // RGB checks
const WebPRGBABuffer* const buf = &buffer->u.RGBA;
const int stride = abs(buf->stride);
- const uint64_t size = MIN_BUFFER_SIZE(width, height, stride);
+ const uint64_t size =
+ MIN_BUFFER_SIZE(width * kModeBpp[mode], height, stride);
ok &= (size <= buf->size);
ok &= (stride >= width * kModeBpp[mode]);
ok &= (buf->rgba != NULL);
--
2.31.1