diff options
author | Clément Bœsch <u@pkh.me> | 2020-08-05 01:30:04 +0200 |
---|---|---|
committer | Clément Bœsch <u@pkh.me> | 2020-08-10 00:36:44 +0200 |
commit | 684c73773e7e2683245ffd6aa75f04115b51123a (patch) | |
tree | b66ac12589629e58583ae9f055b6b7d392852d7f | |
parent | 0bbcba4e7cf32324170470569c4527ffd0002870 (diff) | |
download | ogg-git-684c73773e7e2683245ffd6aa75f04115b51123a.tar.gz |
framing: check for overflow on growing buffer
newsize is a long, but storage is an int. This means the allocation
could succeed but storage would overflow.
Closes #2300
-rw-r--r-- | src/framing.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/framing.c b/src/framing.c index ef81912..724d116 100644 --- a/src/framing.c +++ b/src/framing.c @@ -597,9 +597,14 @@ char *ogg_sync_buffer(ogg_sync_state *oy, long size){ if(size>oy->storage-oy->fill){ /* We need to extend the internal buffer */ - long newsize=size+oy->fill+4096; /* an extra page to be nice */ + long newsize; void *ret; + if(size>INT_MAX-4096-oy->fill){ + ogg_sync_clear(oy); + return NULL; + } + newsize=size+oy->fill+4096; /* an extra page to be nice */ if(oy->data) ret=_ogg_realloc(oy->data,newsize); else |