From 9aab04ac8c20c61dc6cddc4244d874b13db3cfb4 Mon Sep 17 00:00:00 2001
From: Stefano Sabatini <stefano.sabatini-lala@poste.it>
Date: Thu, 19 May 2011 00:05:21 +0200
Subject: [PATCH] oggdec: add integer overflow and allocation check in ogg_read_page()
---
libavformat/oggdec.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 7f65365..3007b6b 100644
|
a
|
b
|
static int ogg_read_page(AVFormatContext *s, int *str)
|
| 288 | 288 | } |
| 289 | 289 | |
| 290 | 290 | if (os->bufsize - os->bufpos < size){ |
| 291 | | uint8_t *nb = av_malloc (os->bufsize *= 2); |
| | 291 | uint8_t *nb; |
| | 292 | if (os->bufsize > SIZE_MAX/2) { |
| | 293 | av_log(s, AV_LOG_ERROR, "Ogg page with size %u is too big\n", os->bufsize); |
| | 294 | return AVERROR_INVALIDDATA; |
| | 295 | } |
| | 296 | if (!(nb = av_malloc (os->bufsize *= 2))) |
| | 297 | return AVERROR(ENOMEM); |
| 292 | 298 | memcpy (nb, os->buf, os->bufpos); |
| 293 | 299 | av_free (os->buf); |
| 294 | 300 | os->buf = nb; |
