[FFmpeg-devel] [PATCH] oggdec: add integer overflow and allocation check in ogg_read_page()

[Stefano Sabatini]

---
 libavformat/oggdec.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 7f65365..f137b97 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -288,7 +288,13 @@ static int ogg_read_page(AVFormatContext *s, int *str)
     }
 
     if (os->bufsize - os->bufpos < size){
-        uint8_t *nb = av_malloc (os->bufsize *= 2);
+        uint8_t *nb;
+        if (os->bufsize > SIZE_MAX/2) {
+            av_log(s, AV_LOG_ERROR, "Ogg page with size %u is too big\n", os->bufsize);
+            return AVERROR_INVALIDDATA;
+        }
+        if (!(nb = av_malloc(os->bufsize *= 2)))
+            return AVERROR(ENOMEM);
         memcpy (nb, os->buf, os->bufpos);
         av_free (os->buf);
         os->buf = nb;
-- 
1.7.2.3