[FFmpeg-devel] [PATCH] lavu/mem: fix potential int overflow and crash in av_dynarray_add()
Stefano Sabatini
stefasab at gmail.com
Thu Apr 25 00:36:21 CEST 2013
Also extend documentation accordingly.
---
libavutil/mem.c | 5 ++++-
libavutil/mem.h | 3 ++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/libavutil/mem.c b/libavutil/mem.c
index 687ec55..b3534b3 100644
--- a/libavutil/mem.c
+++ b/libavutil/mem.c
@@ -241,8 +241,11 @@ void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem)
if (nb == 0)
nb_alloc = 1;
else
- nb_alloc = nb * 2;
+ nb_alloc = nb <= INT_MAX / (2 * sizeof(intptr_t)) ? nb * 2 :
+ INT_MAX / sizeof(intptr_t);
tab = av_realloc(tab, nb_alloc * sizeof(intptr_t));
+ if (!tab)
+ return;
*(intptr_t**)tab_ptr = tab;
}
tab[nb++] = (intptr_t)elem;
diff --git a/libavutil/mem.h b/libavutil/mem.h
index 8ae0939..72610ef 100644
--- a/libavutil/mem.h
+++ b/libavutil/mem.h
@@ -197,7 +197,8 @@ void av_freep(void *ptr);
*
* In case of success, the pointer to the array is updated in order to
* contain the new growed array, and the number pointed to by nb_ptr
- * is incremented.
+ * is incremented. In case of failure, the array is not modified and
+ * *nb_ptr is not updated.
*
* @param tab_ptr pointer to the array to grow
* @param nb_ptr pointer to the number of elements in the array
--
1.7.9.5
More information about the ffmpeg-devel
mailing list