avifjpeg.c: check for uint32_t overflow before add

wantehchang · wantehchang · commit 04fe10b4293c · 2025-03-28T14:01:14.000-07:00
Bug: b:406974988
diff --git a/apps/shared/avifjpeg.c b/apps/shared/avifjpeg.c
@@ -310,7 +310,7 @@ static uint16_t avifJPEGReadUint16LittleEndian(const uint8_t * src)
 // Reads 'numBytes' at 'offset', stores them in 'bytes' and increases 'offset'.
 static avifBool avifJPEGReadBytes(const avifROData * data, uint8_t * bytes, uint32_t * offset, uint32_t numBytes)
 {
-    if (data->size < (*offset + numBytes)) {
+    if ((UINT32_MAX - *offset) < numBytes || data->size < (*offset + numBytes)) {
         return AVIF_FALSE;
     }
     memcpy(bytes, &data->data[*offset], numBytes);

Original file line number	Diff line number	Diff line change
`@@ -310,7 +310,7 @@ static uint16_t avifJPEGReadUint16LittleEndian(const uint8_t * src)`
`310`	`310`	`// Reads 'numBytes' at 'offset', stores them in 'bytes' and increases 'offset'.`
`311`	`311`	`static avifBool avifJPEGReadBytes(const avifROData * data, uint8_t * bytes, uint32_t * offset, uint32_t numBytes)`
`312`	`312`	`{`
`313`		`- if (data->size < (*offset + numBytes)) {`
	`313`	`+ if ((UINT32_MAX - offset) < numBytes \|\| data->size < (offset + numBytes)) {`
`314`	`314`	`return AVIF_FALSE;`
`315`	`315`	`}`
`316`	`316`	`memcpy(bytes, &data->data[*offset], numBytes);`