Mercurial > libavformat.hg
diff aviobuf.c @ 639:0b52743104ac libavformat
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
author | michael |
---|---|
date | Sat, 08 Jan 2005 14:21:33 +0000 |
parents | e1f17fcfb92c |
children | 253b5292946a |
line wrap: on
line diff
--- a/aviobuf.c Thu Jan 06 00:54:03 2005 +0000 +++ b/aviobuf.c Sat Jan 08 14:21:33 2005 +0000 @@ -629,11 +629,13 @@ /* reallocate buffer if needed */ new_size = d->pos + buf_size; new_allocated_size = d->allocated_size; + if(new_size < d->pos || new_size > INT_MAX/2) + return -1; while (new_size > new_allocated_size) { if (!new_allocated_size) new_allocated_size = new_size; else - new_allocated_size = (new_allocated_size * 3) / 2 + 1; + new_allocated_size += new_allocated_size / 2 + 1; } if (new_allocated_size > d->allocated_size) { @@ -691,6 +693,8 @@ else io_buffer_size = 1024; + if(sizeof(DynBuffer) + io_buffer_size < io_buffer_size) + return -1; d = av_malloc(sizeof(DynBuffer) + io_buffer_size); if (!d) return -1;