diff --git a/src/avif.c b/src/avif.c index f44dc49e93..c7276b8cc1 100644 --- a/src/avif.c +++ b/src/avif.c @@ -234,6 +234,7 @@ static avifResult avifImageCopyProperties(avifImage * dstImage, const avifImage dstImage->numProperties = 0; if (srcImage->numProperties != 0) { + AVIF_CHECKERR(srcImage->numProperties < SIZE_MAX / sizeof(srcImage->properties[0]), AVIF_RESULT_INVALID_ARGUMENT); dstImage->properties = (avifImageItemProperty *)avifAlloc(srcImage->numProperties * sizeof(srcImage->properties[0])); AVIF_CHECKERR(dstImage->properties != NULL, AVIF_RESULT_OUT_OF_MEMORY); memset(dstImage->properties, 0, srcImage->numProperties * sizeof(srcImage->properties[0])); diff --git a/src/codec_avm.c b/src/codec_avm.c index 2328d6e457..0445339549 100644 --- a/src/codec_avm.c +++ b/src/codec_avm.c @@ -917,7 +917,13 @@ static avifResult avmCodecEncodeImage(avifCodec * codec, // Allocate the U plane if necessary. if (!avmImageAllocated) { uint32_t channelSize = avifImageUsesU16(image) ? 2 : 1; + if (monoUVWidth > UINT32_MAX / channelSize) { + return AVIF_RESULT_INVALID_ARGUMENT; + } uint32_t monoUVRowBytes = channelSize * monoUVWidth; + if (monoUVHeight > PTRDIFF_MAX / monoUVRowBytes) { + return AVIF_RESULT_INVALID_ARGUMENT; + } size_t monoUVSize = (size_t)monoUVHeight * monoUVRowBytes; monoUVPlane = avifAlloc(monoUVSize); diff --git a/src/codec_svt.c b/src/codec_svt.c index 2b887e85ef..3b70f46308 100644 --- a/src/codec_svt.c +++ b/src/codec_svt.c @@ -283,7 +283,13 @@ static avifResult svtCodecEncodeImage(avifCodec * codec, #if SVT_AV1_CHECK_VERSION(1, 8, 0) // Simulate 4:2:0 UV planes. SVT-AV1 does not support 4:0:0 samples. const uint32_t uvWidth = (image->width + y_shift) >> y_shift; + if (uvWidth > UINT32_MAX / bytesPerPixel) { + goto cleanup; + } const uint32_t uvRowBytes = uvWidth * bytesPerPixel; + if (uvHeight > PTRDIFF_MAX / uvRowBytes) { + goto cleanup; + } const size_t uvSize = (size_t)uvRowBytes * uvHeight; if (uvSize > UINT32_MAX / 2) { goto cleanup;