Check error code returned from vImageBoxConvolve_ARGB8888

Summary: Changelog: [internal] If value returned from `vImageBoxConvolve_ARGB8888` is negative, an error occurred. Converting a negative number to `unsigned long` produces a large positive number (larger than memory). Trying to allocate that much memory fails, malloc returns NULL, and abort triggered inside `RCTBlurredImageWithRadius`. To fix this we need to check for return value from `vImageBoxConvolve_ARGB8888`. Documentation: https://developer.apple.com/documentation/accelerate/1515945-vimageboxconvolve_argb8888?language=objc Reviewed By: JoshuaGross Differential Revision: D25055827 fbshipit-source-id: 2c46ae6eea5cfcc95c2b552c7cd2bc60125fd24a
facebook · Nov 18, 2020 · a6b7855 · a6b7855
1 parent 3c8d011
commit a6b7855
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/Libraries/Image/RCTImageBlurUtils.m b/Libraries/Image/RCTImageBlurUtils.m
@@ -49,8 +49,14 @@
   boxSize |= 1; // Ensure boxSize is odd
 
   //create temp buffer
-  void *tempBuffer = malloc((size_t)vImageBoxConvolve_ARGB8888(&buffer1, &buffer2, NULL, 0, 0, boxSize, boxSize,
-                                                               NULL, kvImageEdgeExtend + kvImageGetTempBufferSize));
+  vImage_Error tempBufferSize = vImageBoxConvolve_ARGB8888(&buffer1, &buffer2, NULL, 0, 0, boxSize, boxSize,
+                                                             NULL, kvImageGetTempBufferSize | kvImageEdgeExtend);
+  if (tempBufferSize < 0) {
+    free(buffer1.data);
+    free(buffer2.data);
+    return inputImage;
+  }
+  void *tempBuffer = malloc(tempBufferSize);
   if (!tempBuffer) {
     // CWE - 391 : Unchecked error condition
     // https://www.cvedetails.com/cwe-details/391/Unchecked-Error-Condition.html