From 684c73773e7e2683245ffd6aa75f04115b51123a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Wed, 5 Aug 2020 01:30:04 +0200 Subject: framing: check for overflow on growing buffer newsize is a long, but storage is an int. This means the allocation could succeed but storage would overflow. Closes #2300 --- src/framing.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/framing.c b/src/framing.c index ef81912..724d116 100644 --- a/src/framing.c +++ b/src/framing.c @@ -597,9 +597,14 @@ char *ogg_sync_buffer(ogg_sync_state *oy, long size){ if(size>oy->storage-oy->fill){ /* We need to extend the internal buffer */ - long newsize=size+oy->fill+4096; /* an extra page to be nice */ + long newsize; void *ret; + if(size>INT_MAX-4096-oy->fill){ + ogg_sync_clear(oy); + return NULL; + } + newsize=size+oy->fill+4096; /* an extra page to be nice */ if(oy->data) ret=_ogg_realloc(oy->data,newsize); else -- cgit v1.2.1