fix: prevent uint32_t overflow in avifSetTileConfiguration tile area

uwezkhan · web-flow · commit cc3e5dd3300a · 2026-02-26T15:14:41.000-08:00
When computing the tile count, width * height was performed as a
uint32_t multiplication. For images with dimensions whose product
exceeds UINT32_MAX (e.g. 100000x50000), this silently wraps around,
producing an incorrect tile count and potentially corrupt tile layout.
Fix by widening to uint64_t before multiplying.

Fixes: integer overflow in avifSetTileConfiguration (src/write.c)

Co-authored-by: uwezkhan06 &lt;uwezkhan055@gmail.com&gt;
diff --git a/src/write.c b/src/write.c
@@ -98,8 +98,10 @@ void avifSetTileConfiguration(int threads, uint32_t width, uint32_t height, int
         // number of threads would result in a compression penalty without much benefit.
         const uint32_t kMinTileArea = 512 * 512;
         const uint32_t kMaxTiles = 32;
-        uint32_t imageArea = width * height;
-        uint32_t tiles = (imageArea + kMinTileArea - 1) / kMinTileArea;
+        // AV1 requires width <= 65536 and height <= 65536, so their product fits
+        // in uint64_t and the resulting tile count fits in uint32_t.
+        const uint64_t imageArea = (uint64_t)width * height;
+        uint32_t tiles = (uint32_t)((imageArea + kMinTileArea - 1) / kMinTileArea);
         if (tiles > kMaxTiles) {
             tiles = kMaxTiles;
         }
