From fa0bc627c5d83f5d8c8f16dec3f46d8c66304488 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sun, 24 May 2020 04:04:29 +0200 Subject: [PATCH] avformat/aviobuf: Stop restricting dynamic buffer sizes to INT_MAX/2 This has originally been done in 568e18b15e2ddf494fd8926707d34ca08c8edce5 as a precaution against integer overflows, but it is actually easy to support the full range of int without overflows. Signed-off-by: Andreas Rheinhardt --- libavformat/aviobuf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 12408fd211..85f6f06de0 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1288,7 +1288,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) /* reallocate buffer if needed */ new_size = (unsigned)d->pos + buf_size; - if (new_size < d->pos || new_size > INT_MAX/2) + if (new_size < d->pos || new_size > INT_MAX) return -1; if (new_size > d->allocated_size) { unsigned new_allocated_size = d->allocated_size ? d->allocated_size @@ -1297,6 +1297,8 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size) while (new_size > new_allocated_size) new_allocated_size += new_allocated_size / 2 + 1; + new_allocated_size = FFMIN(new_allocated_size, INT_MAX); + if ((err = av_reallocp(&d->buffer, new_allocated_size)) < 0) { d->allocated_size = 0; d->size = 0;