1 Subject: Fix OOB caused by odd frame width, CVE-2017-13194
2 Origin: https://android.googlesource.com/platform/external/libvpx/+/55cd1dd7c8d0a3de907d22e0f12718733f4e41d
4 diff --git a/libs/libvpx/libvpx/vpx/src/vpx_image.c b/libs/libvpx/libvpx/vpx/src/vpx_image.c
5 index dba439c..af7c529 100644
6 --- a/libs/libvpx/vpx/src/vpx_image.c
7 +++ b/libs/libvpx/vpx/src/vpx_image.c
9 default: ycs = 0; break;
12 - /* Calculate storage sizes given the chroma subsampling */
13 - align = (1 << xcs) - 1;
14 - w = (d_w + align) & ~align;
15 - align = (1 << ycs) - 1;
16 - h = (d_h + align) & ~align;
17 + /* Calculate storage sizes. If the buffer was allocated externally, the width
18 + * and height shouldn't be adjusted. */
21 s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
22 s = (s + stride_align - 1) & ~(stride_align - 1);
23 stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
25 img->img_data = img_data;
28 - const uint64_t alloc_size = (fmt & VPX_IMG_FMT_PLANAR)
29 - ? (uint64_t)h * s * bps / 8
31 + uint64_t alloc_size;
32 + /* Calculate storage sizes given the chroma subsampling */
33 + align = (1 << xcs) - 1;
34 + w = (d_w + align) & ~align;
35 + align = (1 << ycs) - 1;
36 + h = (d_h + align) & ~align;
38 + s = (fmt & VPX_IMG_FMT_PLANAR) ? w : bps * w / 8;
39 + s = (s + stride_align - 1) & ~(stride_align - 1);
40 + stride_in_bytes = (fmt & VPX_IMG_FMT_HIGHBITDEPTH) ? s * 2 : s;
41 + alloc_size = (fmt & VPX_IMG_FMT_PLANAR) ? (uint64_t)h * s * bps / 8
44 if (alloc_size != (size_t)alloc_size) goto fail;