Fix UB in CopyMakeConstBoder_8u

[federicohml]

Problem: addition of unsigned offset to 0x000007ff0362 overflowed to 0x000007fefac0

In third_party/opencv/modules/core/src/copy.cpp the function copyMakeConstBorder_8u receives the step of a cv::Mat, namely dststep of type size_t. When offsetting the destination matrix pointer to start copying data, memcpy(dst + (i - top) * dststep, constBuf, dstroi.width) the result of (i - top) could be negative, then, when applying the arithmetic operator * because of arithmetic operator conversion the int is converted to size_t, resulting pointer overflow.

Pull Request Readiness Checklist

See details at https://github.com/opencv/opencv/wiki/How_to_contribute#making-a-good-pull-request

• I agree to contribute to the project under Apache 2 License.
• To the best of my knowledge, the proposed patch is not based on a code under GPL or other license that is incompatible with OpenCV
• The PR is proposed to proper branch
• There is reference to original bug report and related work
• There is accuracy test, performance test and test data in opencv_extra repository, if applicable
  Patch to opencv_extra has the same branch name.
• The feature is well documented and sample code can be built with the project CMake

[federicohml]

Could you elaborate on There is reference to original bug report and related work, what does that mean?

[alalek]

Please add problem description.

Are you sure that this patch fixes your problem? Because there is another similar code few lines below.

[federicohml]

I added a more detailed description of the problem I found.
I am sure it fixed the UB I found. This is the only part I am using so far in my code so I cannot tell whether there are/aren't more UB similar to this one, but at least this one is fixed. I will be more than happy to fix other as I cross them my way, though.

[federicohml]

I added a more detailed description of the problem.

I am sure it fixed the UB I found. This is the only part I am using so far in my code so I cannot tell whether there are/aren't more UB similar to this one, but at least this one is fixed. I will be more than happy to fix other as I cross them my way, though.

[terfendail]

The fix will fail if dststep is greater than INT_MAX. That's not the most often case, but possible.
Also i-top is always negative so the fix could be dst - (top - i)*dststep

[alalek]

Patch is rebased on 3.4 branch and updated to avoid using of pointers arithmetic with negative offsets.

@federicohml Please take a look (we do no have reproducer on our side).