Skip to content

Commit d0b72c6

Browse files
committed
use INTERNAL_ERROR and simplify overflow check during extent merge
1 parent 4d1f8ef commit d0b72c6

1 file changed

Lines changed: 13 additions & 9 deletions

File tree

src/read.c

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1535,16 +1535,20 @@ static avifResult avifDecoderItemRead(avifDecoderItem * item,
15351535
} else {
15361536
AVIF_ASSERT_OR_RETURN(item->ownsMergedExtents);
15371537
AVIF_ASSERT_OR_RETURN(front);
1538+
size_t writeOffset = (size_t)(front - item->mergedExtents.data);
15381539
// Validate that the write will not exceed the allocated buffer
1539-
if ((size_t)(front - item->mergedExtents.data) > item->mergedExtents.size ||
1540-
bytesToRead > item->mergedExtents.size - (size_t)(front - item->mergedExtents.data)) {
1541-
avifDiagnosticsPrintf(diag,
1542-
"Item ID %u extent would overflow merge buffer (buffer size: %zu, current offset: %zu, bytes to write: %zu)",
1543-
item->id,
1544-
item->mergedExtents.size,
1545-
(size_t)(front - item->mergedExtents.data),
1546-
bytesToRead);
1547-
return AVIF_RESULT_BMFF_PARSE_FAILED;
1540+
if (writeOffset > item->mergedExtents.size ||
1541+
bytesToRead > item->mergedExtents.size - writeOffset) {
1542+
1543+
avifDiagnosticsPrintf(
1544+
diag,
1545+
"Item ID %u extent would overflow merge buffer (buffer size: %zu, current offset: %zu, bytes to write: %zu)",
1546+
item->id,
1547+
item->mergedExtents.size,
1548+
writeOffset,
1549+
bytesToRead);
1550+
1551+
return AVIF_RESULT_INTERNAL_ERROR;
15481552
}
15491553
memcpy(front, offsetBuffer.data, bytesToRead);
15501554
front += bytesToRead;

0 commit comments

Comments
 (0)