unci: prevent integer overflow during Bayer pattern loading

strukturag · Oct 12, 2024 · b5cd19e · b5cd19e
1 parent a2ebb71
commit b5cd19e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/libheif/codecs/uncompressed/unc_boxes.cc b/libheif/codecs/uncompressed/unc_boxes.cc
@@ -628,7 +628,7 @@ Error Box_cpat::parse(BitstreamRange& range, const heif_security_limits* limits)
   m_pattern_height = range.read16();
 
   auto max_bayer_pattern_size = limits->max_bayer_pattern_pixels;
-  if (max_bayer_pattern_size && m_pattern_width * m_pattern_height > max_bayer_pattern_size) {
+  if (max_bayer_pattern_size && m_pattern_height > max_bayer_pattern_size / m_pattern_width) {
     return {heif_error_Invalid_input,
             heif_suberror_Security_limit_exceeded,
             "Maximum Bayer pattern size exceeded."};