Skip to content

Commit a43beb2

Browse files
jinyuan-devgfxVPLsdm
authored andcommitted
[RT Common] Fix integer overflow in surface size calculation
Modified GetSurfaceSizeInBytes() to prevent integer overflow when calculating surface sizes. Changed calculations to use mfxU64 intermediate variable (tempBytes) instead of direct mfxU32 arithmetic. Added overflow check before casting back to mfxU32, returning MFX_ERR_MEMORY_ALLOC if size exceeds UINT32_MAX. This prevents potential memory corruption or crashes with large surface dimensions.
1 parent 53d6409 commit a43beb2

1 file changed

Lines changed: 15 additions & 7 deletions

File tree

_studio/shared/src/libmfx_allocator.cpp

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -154,6 +154,8 @@ mfxStatus mfxDefaultAllocator::FreeBuffer(mfxHDL pthis, mfxMemId mid)
154154

155155
mfxStatus mfxDefaultAllocator::GetSurfaceSizeInBytes(mfxU32 pitch, mfxU32 height, mfxU32 fourCC, mfxU32& nBytes)
156156
{
157+
mfxU64 tempBytes = 0;
158+
157159
switch (fourCC)
158160
{
159161
case MFX_FOURCC_YV12:
@@ -162,29 +164,29 @@ mfxStatus mfxDefaultAllocator::GetSurfaceSizeInBytes(mfxU32 pitch, mfxU32 height
162164
case MFX_FOURCC_P016:
163165
case MFX_FOURCC_YUV411:
164166
case MFX_FOURCC_IMC3:
165-
nBytes = pitch * height + (pitch >> 1) * (height >> 1) + (pitch >> 1) * (height >> 1);
167+
tempBytes = (mfxU64)pitch * height + (mfxU64)(pitch >> 1) * (height >> 1) + (mfxU64)(pitch >> 1) * (height >> 1);
166168
break;
167169
case MFX_FOURCC_P210:
168170
case MFX_FOURCC_YUY2:
169171
case MFX_FOURCC_YUV422H:
170172
case MFX_FOURCC_YUV422V:
171173
case MFX_FOURCC_UYVY:
172-
nBytes = pitch * height + (pitch >> 1) * height + (pitch >> 1) * height;
174+
tempBytes = (mfxU64)pitch * height + (mfxU64)(pitch >> 1) * height + (mfxU64)(pitch >> 1) * height;
173175
break;
174176
case MFX_FOURCC_YUV444:
175177
case MFX_FOURCC_RGB3:
176178
case MFX_FOURCC_RGBP:
177179
case MFX_FOURCC_BGRP:
178-
nBytes = pitch * height + pitch * height + pitch * height;
180+
tempBytes = (mfxU64)pitch * height + (mfxU64)pitch * height + (mfxU64)pitch * height;
179181
break;
180182
case MFX_FOURCC_RGB565:
181-
nBytes = 2 * pitch * height;
183+
tempBytes = (mfxU64)2 * pitch * height;
182184
break;
183185
case MFX_FOURCC_BGR4:
184186
case MFX_FOURCC_RGB4:
185187
case MFX_FOURCC_AYUV:
186188
case MFX_FOURCC_A2RGB10:
187-
nBytes = pitch * height + pitch * height + pitch * height + pitch * height;
189+
tempBytes = (mfxU64)pitch * height + (mfxU64)pitch * height + (mfxU64)pitch * height + (mfxU64)pitch * height;
188190
break;
189191
case MFX_FOURCC_Y410:
190192
case MFX_FOURCC_Y416:
@@ -196,15 +198,21 @@ mfxStatus mfxDefaultAllocator::GetSurfaceSizeInBytes(mfxU32 pitch, mfxU32 height
196198
case MFX_FOURCC_R16:
197199
case MFX_FOURCC_ARGB16:
198200
case MFX_FOURCC_ABGR16:
199-
nBytes = pitch * height;
201+
tempBytes = (mfxU64)pitch * height;
200202
break;
201203
case MFX_FOURCC_ABGR16F:
202-
nBytes = (pitch * height + pitch * height + pitch * height + pitch * height) * 2;
204+
tempBytes = ((mfxU64)pitch * height + (mfxU64)pitch * height + (mfxU64)pitch * height + (mfxU64)pitch * height) * 2;
203205
break;
204206
default:
205207
MFX_RETURN(MFX_ERR_UNSUPPORTED);
206208
break;
207209
}
210+
211+
// Check for overflow before narrowing to mfxU32
212+
if (tempBytes > UINT32_MAX)
213+
MFX_RETURN(MFX_ERR_MEMORY_ALLOC);
214+
215+
nBytes = static_cast<mfxU32>(tempBytes);
208216
return MFX_ERR_NONE;
209217
}
210218

0 commit comments

Comments
 (0)