From 7ede8d47677a51e9ed2294ba9556c15314e480f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Wed, 5 Aug 2020 01:30:04 +0200 Subject: [PATCH] framing: check for overflow on growing buffer newsize is a long, but storage is an int. This means the allocation could succeed but storage would overflow. --- src/framing.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/framing.c b/src/framing.c index ef81912..d5868e8 100644 --- a/src/framing.c +++ b/src/framing.c @@ -600,6 +600,10 @@ char *ogg_sync_buffer(ogg_sync_state *oy, long size){ long newsize=size+oy->fill+4096; /* an extra page to be nice */ void *ret; + if(newsize>INT_MAX){ + ogg_sync_clear(oy); + return NULL; + } if(oy->data) ret=_ogg_realloc(oy->data,newsize); else -- 2.28.0