From d089362d073ca15c5a1cb92d65e42aff1f06e6bb Mon Sep 17 00:00:00 2001
From: Pascal Massimino <pascal.massimino@gmail.com>
Date: Tue, 8 Sep 2015 23:54:32 -0700
Subject: [PATCH] loosen the padding check on buffer size

Strictly speaking, the last (or first) row doesn't require padding.

cf https://code.google.com/p/webp/issues/detail?id=258

(cherry picked from commit 15ca5014f125b752be6a4c215f607aceadf7b0de)

Change-Id: Ie9ec8eb776fec1f5cea4cf9e21e81901fd79bf33
---
 src/dec/buffer.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/dec/buffer.c b/src/dec/buffer.c
index 42feac74..6272424f 100644
--- a/src/dec/buffer.c
+++ b/src/dec/buffer.c
@@ -67,7 +67,9 @@ static VP8StatusCode CheckDecBuffer(const WebPDecBuffer* const buffer) {
   } else {    // RGB checks
     const WebPRGBABuffer* const buf = &buffer->u.RGBA;
     const int stride = abs(buf->stride);
-    const uint64_t size = (uint64_t)stride * height;
+    // strictly speaking, the very last (or first, if flipped) row
+    // doesn't require padding.
+    const uint64_t size = (uint64_t)stride * (height - 1) + width;
     ok &= (size <= buf->size);
     ok &= (stride >= width * kModeBpp[mode]);
     ok &= (buf->rgba != NULL);