Description: security fix
  Fix CVE-2016-8888 and CVE-2016-9085
Author: Jeff Breidenbach <jab@debian.org>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- libwebp-0.5.1.orig/examples/example_util.c
+++ libwebp-0.5.1/examples/example_util.c
@@ -279,3 +279,10 @@ void ExUtilCopyPlane(const uint8_t* src,
 }
 
 // -----------------------------------------------------------------------------
+
+int ImgIoUtilCheckSizeArgumentsOverflow(uint64_t nmemb, size_t size) {
+  const uint64_t total_size = nmemb * size;
+  return (total_size == (size_t)total_size);
+}
+
+// -----------------------------------------------------------------------------
--- libwebp-0.5.1.orig/examples/example_util.h
+++ libwebp-0.5.1/examples/example_util.h
@@ -60,6 +60,11 @@ void ExUtilCopyPlane(const uint8_t* src,
                      uint8_t* dst, int dst_stride, int width, int height);
 
 //------------------------------------------------------------------------------
+
+// Returns 0 in case of overflow of nmemb * size.
+int ImgIoUtilCheckSizeArgumentsOverflow(uint64_t nmemb, size_t size);
+
+//------------------------------------------------------------------------------
 // WebP decoding
 
 // Prints an informative error message regarding decode failure of 'in_file'.
--- libwebp-0.5.1.orig/examples/jpegdec.c
+++ libwebp-0.5.1/examples/jpegdec.c
@@ -258,7 +258,8 @@ int ReadJPEG(const uint8_t* const data,
              WebPPicture* const pic, int keep_alpha,
              Metadata* const metadata) {
   volatile int ok = 0;
-  int stride, width, height;
+  int width, height;
+  int64_t stride;
   volatile struct jpeg_decompress_struct dinfo;
   struct my_error_mgr jerr;
   uint8_t* volatile rgb = NULL;
@@ -297,9 +298,14 @@ int ReadJPEG(const uint8_t* const data,
 
   width = dinfo.output_width;
   height = dinfo.output_height;
-  stride = dinfo.output_width * dinfo.output_components * sizeof(*rgb);
+  stride = (int64_t)dinfo.output_width * dinfo.output_components * sizeof(*rgb);
 
-  rgb = (uint8_t*)malloc(stride * height);
+  if (stride != (int)stride ||
+      !ImgIoUtilCheckSizeArgumentsOverflow(stride, height)) {
+    goto End;
+  }
+
+  rgb = (uint8_t*)malloc((size_t)stride * height);
   if (rgb == NULL) {
     goto End;
   }
@@ -326,7 +332,7 @@ int ReadJPEG(const uint8_t* const data,
   // WebP conversion.
   pic->width = width;
   pic->height = height;
-  ok = WebPPictureImportRGB(pic, rgb, stride);
+  ok = WebPPictureImportRGB(pic, rgb, (int)stride);
   if (!ok) goto Error;
 
  End:
--- libwebp-0.5.1.orig/examples/pngdec.c
+++ libwebp-0.5.1/examples/pngdec.c
@@ -217,7 +217,7 @@ int ReadPNG(const uint8_t* const data, s
   int p;
   volatile int ok = 0;
   png_uint_32 width, height, y;
-  png_uint_32 stride;
+  int64_t stride;
   uint8_t* volatile rgb = NULL;
 
   context.data = data;
@@ -270,8 +270,14 @@ int ReadPNG(const uint8_t* const data, s
 
   num_passes = png_set_interlace_handling(png);
   png_read_update_info(png, info);
-  stride = (has_alpha ? 4 : 3) * width * sizeof(*rgb);
-  rgb = (uint8_t*)malloc(stride * height);
+
+  stride = (int64_t)(has_alpha ? 4 : 3) * width * sizeof(*rgb);
+  if (stride != (int)stride ||
+      !ImgIoUtilCheckSizeArgumentsOverflow(stride, height)) {
+    goto Error;
+  }
+
+  rgb = (uint8_t*)malloc((size_t)stride * height);
   if (rgb == NULL) goto Error;
   for (p = 0; p < num_passes; ++p) {
     for (y = 0; y < height; ++y) {
--- libwebp-0.5.1.orig/examples/tiffdec.c
+++ libwebp-0.5.1/examples/tiffdec.c
@@ -22,6 +22,7 @@
 #include <tiffio.h>
 
 #include "webp/encode.h"
+#include "./example_util.h"
 #include "./metadata.h"
 
 static const struct {
@@ -124,6 +125,7 @@ int ReadTIFF(const uint8_t* const data,
                                    MySize, MyMapFile, MyUnmapFile);
   uint32 width, height;
   uint32* raster;
+  int64_t alloc_size;
   int ok = 0;
   tdir_t dircount;
 
@@ -144,7 +146,16 @@ int ReadTIFF(const uint8_t* const data,
     fprintf(stderr, "Error! Cannot retrieve TIFF image dimensions.\n");
     goto End;
   }
-  raster = (uint32*)_TIFFmalloc(width * height * sizeof(*raster));
+
+  if (!ImgIoUtilCheckSizeArgumentsOverflow((uint64_t)width * height,
+                                           sizeof(*raster))) {
+    goto End;
+  }
+  // _Tiffmalloc uses a signed type for size.
+  alloc_size = (int64_t)((uint64_t)width * height * sizeof(*raster));
+  if (alloc_size < 0 || alloc_size != (tmsize_t)alloc_size) goto End;
+
+  raster = (uint32*)_TIFFmalloc((tmsize_t)alloc_size);
   if (raster != NULL) {
     if (TIFFReadRGBAImageOriented(tif, width, height, raster,
                                   ORIENTATION_TOPLEFT, 1)) {
--- libwebp-0.5.1.orig/examples/wicdec.c
+++ libwebp-0.5.1/examples/wicdec.c
@@ -274,7 +274,7 @@ int ReadPictureWithWIC(const char* const
     NULL
   };
   int has_alpha = 0;
-  int stride;
+  int64_t stride;
 
   IFS(CoInitialize(NULL));
   IFS(CoCreateInstance(MAKE_REFGUID(CLSID_WICImagingFactory), NULL,
@@ -334,14 +334,19 @@ int ReadPictureWithWIC(const char* const
 
   // Decode.
   IFS(IWICFormatConverter_GetSize(converter, &width, &height));
-  stride = importer->bytes_per_pixel * width * sizeof(*rgb);
+  stride = (int64_t)importer->bytes_per_pixel * width * sizeof(*rgb);
+  if (stride != (int)stride ||
+      !ImgIoUtilCheckSizeArgumentsOverflow(stride, height)) {
+    hr = E_FAIL;
+  }
+
   if (SUCCEEDED(hr)) {
-    rgb = (BYTE*)malloc(stride * height);
+    rgb = (BYTE*)malloc((size_t)stride * height);
     if (rgb == NULL)
       hr = E_OUTOFMEMORY;
   }
   IFS(IWICFormatConverter_CopyPixels(converter, NULL,
-                                     stride, stride * height, rgb));
+                                     (UINT)stride, (UINT)stride * height, rgb));
 
   // WebP conversion.
   if (SUCCEEDED(hr)) {
@@ -349,7 +354,7 @@ int ReadPictureWithWIC(const char* const
     pic->width = width;
     pic->height = height;
     pic->use_argb = 1;    // For WIC, we always force to argb
-    ok = importer->import(pic, rgb, stride);
+    ok = importer->import(pic, rgb, (int)stride);
     if (!ok) hr = E_FAIL;
   }
   if (SUCCEEDED(hr)) {
