File CVE-2017-13194.patch of Package libvpx.14316
Index: libvpx-1.6.1/vpx/src/vpx_image.c
===================================================================
--- libvpx-1.6.1.orig/vpx/src/vpx_image.c
+++ libvpx-1.6.1/vpx/src/vpx_image.c
@@ -88,11 +88,10 @@ static vpx_image_t *img_alloc_helper(vpx
default: ycs = 0; break;
}
- /* Calculate storage sizes given the chroma subsampling */
- align = (1 << xcs) - 1;
- w = (d_w + align) & ~align;
- align = (1 << ycs) - 1;
- h = (d_h + align) & ~align;
+ /* Calculate storage sizes. If the buffer was allocated externally, the width
+ * and height shouldn't be adjusted. */
+ w = d_w;
+ h = d_h;
s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
s = (s + stride_align - 1) & ~(stride_align - 1);
stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
@@ -111,9 +110,18 @@ static vpx_image_t *img_alloc_helper(vpx
img->img_data = img_data;
if (!img_data) {
- const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR)
- ? (uint64_t)h * s * bps / 8
- : (uint64_t)h * s;
+ uint64_t alloc_size;
+ /* Calculate storage sizes given the chroma subsampling */
+ align = (1 << xcs) - 1;
+ w = (d_w + align) & ~align;
+ align = (1 << ycs) - 1;
+ h = (d_h + align) & ~align;
+
+ s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
+ s = (s + stride_align - 1) & ~(stride_align - 1);
+ stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
+ alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
+ : (uint64_t)h * s;
if (alloc_size != (size_t)alloc_size) goto fail;