framing: check for overflow on growing buffer

newsize is a long, but storage is an int. This means the allocation could succeed but storage would overflow. Closes #2300
2020-08-05 01:30:04 +02:00 · 2020-08-05 01:30:04 +02:00 · 684c73773e
commit 684c73773e
parent 0bbcba4e7c
1 changed files with 6 additions and 1 deletions
--- a/src/framing.c
+++ b/src/framing.c
@ -597,9 +597,14 @@ char *ogg_sync_buffer(ogg_sync_state *oy, long size){

  if(size>oy->storage-oy->fill){
    /* We need to extend the internal buffer */
-    long newsize=size+oy->fill+4096; /* an extra page to be nice */
+    long newsize;
    void *ret;

+    if(size>INT_MAX-4096-oy->fill){
+      ogg_sync_clear(oy);
+      return NULL;
+    }
+    newsize=size+oy->fill+4096; /* an extra page to be nice */
    if(oy->data)
      ret=_ogg_realloc(oy->data,newsize);
    else