File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -1535,16 +1535,20 @@ static avifResult avifDecoderItemRead(avifDecoderItem * item,
15351535 } else {
15361536 AVIF_ASSERT_OR_RETURN (item -> ownsMergedExtents );
15371537 AVIF_ASSERT_OR_RETURN (front );
1538+ size_t writeOffset = (size_t )(front - item -> mergedExtents .data );
15381539 // Validate that the write will not exceed the allocated buffer
1539- if ((size_t )(front - item -> mergedExtents .data ) > item -> mergedExtents .size ||
1540- bytesToRead > item -> mergedExtents .size - (size_t )(front - item -> mergedExtents .data )) {
1541- avifDiagnosticsPrintf (diag ,
1542- "Item ID %u extent would overflow merge buffer (buffer size: %zu, current offset: %zu, bytes to write: %zu)" ,
1543- item -> id ,
1544- item -> mergedExtents .size ,
1545- (size_t )(front - item -> mergedExtents .data ),
1546- bytesToRead );
1547- return AVIF_RESULT_BMFF_PARSE_FAILED ;
1540+ if (writeOffset > item -> mergedExtents .size ||
1541+ bytesToRead > item -> mergedExtents .size - writeOffset ) {
1542+
1543+ avifDiagnosticsPrintf (
1544+ diag ,
1545+ "Item ID %u extent would overflow merge buffer (buffer size: %zu, current offset: %zu, bytes to write: %zu)" ,
1546+ item -> id ,
1547+ item -> mergedExtents .size ,
1548+ writeOffset ,
1549+ bytesToRead );
1550+
1551+ return AVIF_RESULT_INTERNAL_ERROR ;
15481552 }
15491553 memcpy (front , offsetBuffer .data , bytesToRead );
15501554 front += bytesToRead ;
You can’t perform that action at this time.
0 commit comments