# HG changeset patch
# User reimar
# Date 1254296460 0
# Node ID 58b03e2d2ac210d2dfc5d363e0da5db0b49d4328
# Parent  328f17988caf07a35e3fb7f297f2312365a26984
Check for integer overflow in grow_array.

diff -r 328f17988caf -r 58b03e2d2ac2 libmpdemux/demux_mkv.c
--- a/libmpdemux/demux_mkv.c	Wed Sep 30 07:35:33 2009 +0000
+++ b/libmpdemux/demux_mkv.c	Wed Sep 30 07:41:00 2009 +0000
@@ -213,7 +213,10 @@
   void *oldp = *array;
   if (nelem & 31)
     return;
-  *array = realloc(*array, (nelem + 32) * elsize);
+  if (nelem > UINT_MAX / elsize - 32)
+    *array = NULL;
+  else
+    *array = realloc(*array, (nelem + 32) * elsize);
   if (!*array)
     free(oldp);
 }