[FFmpeg-devel] [PATCH] lavu/mem: fix potential int overflow and crash in av_dynarray_add()

Stefano Sabatini stefasab at gmail.com
Thu Apr 25 00:36:21 CEST 2013


Also extend documentation accordingly.
---
 libavutil/mem.c |    5 ++++-
 libavutil/mem.h |    3 ++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavutil/mem.c b/libavutil/mem.c
index 687ec55..b3534b3 100644
--- a/libavutil/mem.c
+++ b/libavutil/mem.c
@@ -241,8 +241,11 @@ void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem)
         if (nb == 0)
             nb_alloc = 1;
         else
-            nb_alloc = nb * 2;
+            nb_alloc = nb <= INT_MAX / (2 * sizeof(intptr_t)) ? nb * 2 :
+                                                                INT_MAX / sizeof(intptr_t);
         tab = av_realloc(tab, nb_alloc * sizeof(intptr_t));
+        if (!tab)
+            return;
         *(intptr_t**)tab_ptr = tab;
     }
     tab[nb++] = (intptr_t)elem;
diff --git a/libavutil/mem.h b/libavutil/mem.h
index 8ae0939..72610ef 100644
--- a/libavutil/mem.h
+++ b/libavutil/mem.h
@@ -197,7 +197,8 @@ void av_freep(void *ptr);
  *
  * In case of success, the pointer to the array is updated in order to
  * contain the new growed array, and the number pointed to by nb_ptr
- * is incremented.
+ * is incremented. In case of failure, the array is not modified and
+ * *nb_ptr is not updated.
  *
  * @param tab_ptr pointer to the array to grow
  * @param nb_ptr  pointer to the number of elements in the array
-- 
1.7.9.5



More information about the ffmpeg-devel mailing list