From d264da20959dd4fa0efb9dfe98d34914755d1814 Mon Sep 17 00:00:00 2001
From: "Dexter.k" <164054284+rootvector2@users.noreply.github.com>
Date: Fri, 20 Feb 2026 18:23:00 +0000
Subject: [PATCH] gainmap: prevent integer overflow in plane allocation

---
 src/gainmap.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/gainmap.c b/src/gainmap.c
index b8585bf9cb..2e6813040b 100644
--- a/src/gainmap.c
+++ b/src/gainmap.c
@@ -558,11 +558,24 @@ avifResult avifRGBImageComputeGainMap(const avifRGBImage * baseRgbImage,
 
     avifResult res = AVIF_RESULT_OK;
     // --- After this point, the function should exit with 'goto cleanup' to free allocated resources.
+    // Overflow protection: 'width * height * sizeof(float)' uses signed int
+    // multiplication which is undefined behavior on overflow in C. Compute the
+    // allocation size in size_t with explicit overflow checks instead.
+    if (baseRgbImage->width > SIZE_MAX / sizeof(float)) {
+        res = AVIF_RESULT_INVALID_ARGUMENT;
+        goto cleanup;
+    }
+    const size_t gainMapPlaneRowBytes = (size_t)baseRgbImage->width * sizeof(float);
+    if (gainMapPlaneRowBytes != 0 && baseRgbImage->height > SIZE_MAX / gainMapPlaneRowBytes) {
+        res = AVIF_RESULT_INVALID_ARGUMENT;
+        goto cleanup;
+    }
+    const size_t gainMapPlaneSize = gainMapPlaneRowBytes * baseRgbImage->height;
 
     const avifBool singleChannel = (gainMap->image->yuvFormat == AVIF_PIXEL_FORMAT_YUV400);
     const int numGainMapChannels = singleChannel ? 1 : 3;
     for (int c = 0; c < numGainMapChannels; ++c) {
-        gainMapF[c] = avifAlloc(width * height * sizeof(float));
+        gainMapF[c] = avifAlloc(gainMapPlaneSize);
         if (gainMapF[c] == NULL) {
             res = AVIF_RESULT_OUT_OF_MEMORY;
             goto cleanup;