Ticket #185: 0002-oggdec-add-integer-overflow-and-allocation-check-in-.patch

File 0002-oggdec-add-integer-overflow-and-allocation-check-in-.patch, 1.0 KB (added by saste, 6 years ago)
  • libavformat/oggdec.c

    From 9aab04ac8c20c61dc6cddc4244d874b13db3cfb4 Mon Sep 17 00:00:00 2001
    From: Stefano Sabatini <stefano.sabatini-lala@poste.it>
    Date: Thu, 19 May 2011 00:05:21 +0200
    Subject: [PATCH] oggdec: add integer overflow and allocation check in ogg_read_page()
    
    ---
     libavformat/oggdec.c |    8 +++++++-
     1 files changed, 7 insertions(+), 1 deletions(-)
    
    diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
    index 7f65365..3007b6b 100644
    a b static int ogg_read_page(AVFormatContext *s, int *str) 
    288288    } 
    289289 
    290290    if (os->bufsize - os->bufpos < size){ 
    291         uint8_t *nb = av_malloc (os->bufsize *= 2); 
     291        uint8_t *nb; 
     292        if (os->bufsize > SIZE_MAX/2) { 
     293            av_log(s, AV_LOG_ERROR, "Ogg page with size %u is too big\n", os->bufsize); 
     294            return AVERROR_INVALIDDATA; 
     295        } 
     296        if (!(nb = av_malloc (os->bufsize *= 2))) 
     297            return AVERROR(ENOMEM); 
    292298        memcpy (nb, os->buf, os->bufpos); 
    293299        av_free (os->buf); 
    294300        os->buf = nb;