framing: check for overflow on growing buffer

newsize is a long, but storage is an int. This means the allocation could succeed but storage would overflow. Closes #2300
38github · Aug 9, 2020 · 684c737 · 684c737
1 parent 0bbcba4
commit 684c737
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/framing.c b/src/framing.c
@@ -597,9 +597,14 @@ char *ogg_sync_buffer(ogg_sync_state *oy, long size){
 
   if(size>oy->storage-oy->fill){
     /* We need to extend the internal buffer */
-    long newsize=size+oy->fill+4096; /* an extra page to be nice */
+    long newsize;
     void *ret;
 
+    if(size>INT_MAX-4096-oy->fill){
+      ogg_sync_clear(oy);
+      return NULL;
+    }
+    newsize=size+oy->fill+4096; /* an extra page to be nice */
     if(oy->data)
       ret=_ogg_realloc(oy->data,newsize);
     else