Mercurial > libavformat.hg

diff aviobuf.c @ 639:0b52743104ac libavformat
integer overflows, heap corruption possible arbitrary code execution cannot be ruled out in some cases precautionary checks
author: michael
date: Sat, 08 Jan 2005 14:21:33 +0000
parents: e1f17fcfb92c
children: 253b5292946a
--- a/aviobuf.c	Thu Jan 06 00:54:03 2005 +0000
+++ b/aviobuf.c	Sat Jan 08 14:21:33 2005 +0000
@@ -629,11 +629,13 @@
     /* reallocate buffer if needed */
     new_size = d->pos + buf_size;
     new_allocated_size = d->allocated_size;
+    if(new_size < d->pos || new_size > INT_MAX/2)
+        return -1;
     while (new_size > new_allocated_size) {
         if (!new_allocated_size)
             new_allocated_size = new_size;
         else
-            new_allocated_size = (new_allocated_size * 3) / 2 + 1;    
+            new_allocated_size += new_allocated_size / 2 + 1;    
     }
     
     if (new_allocated_size > d->allocated_size) {
@@ -691,6 +693,8 @@
     else
         io_buffer_size = 1024;
         
+    if(sizeof(DynBuffer) + io_buffer_size < io_buffer_size)
+        return -1;
     d = av_malloc(sizeof(DynBuffer) + io_buffer_size);
     if (!d)
         return -1;