Ticket #185: 0002-oggdec-add-integer-overflow-and-allocation-check-in-.patch

File 0002-oggdec-add-integer-overflow-and-allocation-check-in-.patch, 1.0 KB (added by saste, 8 years ago)
  • libavformat/oggdec.c

    From 9aab04ac8c20c61dc6cddc4244d874b13db3cfb4 Mon Sep 17 00:00:00 2001
    From: Stefano Sabatini <stefano.sabatini-lala@poste.it>
    Date: Thu, 19 May 2011 00:05:21 +0200
    Subject: [PATCH] oggdec: add integer overflow and allocation check in ogg_read_page()
    
    ---
     libavformat/oggdec.c |    8 +++++++-
     1 files changed, 7 insertions(+), 1 deletions(-)
    
    diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
    index 7f65365..3007b6b 100644
    a b static int ogg_read_page(AVFormatContext *s, int *str) 
    288288    }
    289289
    290290    if (os->bufsize - os->bufpos < size){
    291         uint8_t *nb = av_malloc (os->bufsize *= 2);
     291        uint8_t *nb;
     292        if (os->bufsize > SIZE_MAX/2) {
     293            av_log(s, AV_LOG_ERROR, "Ogg page with size %u is too big\n", os->bufsize);
     294            return AVERROR_INVALIDDATA;
     295        }
     296        if (!(nb = av_malloc (os->bufsize *= 2)))
     297            return AVERROR(ENOMEM);
    292298        memcpy (nb, os->buf, os->bufpos);
    293299        av_free (os->buf);
    294300        os->buf = nb;