Highlights
Integer Overflow: 9 prior fixes. Scrutinize any change in this area.
source/convert_to_i420.cc: most-fixed (4 issues). Treat as high-risk during review.
15 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Integer Overflow: Negative image height parameters (such as INT_MIN) trigger integer negation overflows and incorrect offset calculations during coordinate mapping. Developers must strictly sanitize height inputs before performing any negation or absolute value calculations.
Integer Overflow: Unbounded width and height arguments in scaling operations lead to integer overflows in fixed-point math and stride calculations. Enforcing strict upper-bound limits (e.g., 32768 pixels) and casting stride operands to 64-bit types (ptrdiff_t) is critical to prevent heap overflows.
Out-of-bounds Read: Parsing untrusted JPEG and MJPEG container streams without validating buffer boundaries during marker scanning allows out-of-bounds reads. Any logic advancing input pointers or scanning markers must enforce strict remaining-size bounds checks.