[FFmpeg-cvslog] lavu/mem: fix potential int overflow and crash in av_dynarray_add()

[Stefano Sabatini]

ffmpeg | branch: master | Stefano Sabatini <stefasab at gmail.com> | Thu Apr 25 00:27:46 2013 +0200| [ee9794ed20528c2aa4c53cf67cb218bdce6e0485] | committer: Stefano Sabatini

lavu/mem: fix potential int overflow and crash in av_dynarray_add()

Also extend documentation accordingly.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ee9794ed20528c2aa4c53cf67cb218bdce6e0485
---

 libavutil/mem.c |   14 ++++++++++++--
 libavutil/mem.h |    2 ++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/libavutil/mem.c b/libavutil/mem.c
index cfa4cbd..03bf2c8 100644
--- a/libavutil/mem.c
+++ b/libavutil/mem.c
@@ -249,15 +249,25 @@ void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem)
     nb = *nb_ptr;
     tab = *(intptr_t**)tab_ptr;
     if ((nb & (nb - 1)) == 0) {
-        if (nb == 0)
+        if (nb == 0) {
             nb_alloc = 1;
-        else
+        } else {
+            if (nb > INT_MAX / (2 * sizeof(intptr_t)))
+                goto fail;
             nb_alloc = nb * 2;
+        }
         tab = av_realloc(tab, nb_alloc * sizeof(intptr_t));
+        if (!tab)
+            goto fail;
         *(intptr_t**)tab_ptr = tab;
     }
     tab[nb++] = (intptr_t)elem;
     *nb_ptr = nb;
+    return;
+
+fail:
+    av_freep(tab_ptr);
+    *nb_ptr = 0;
 }
 
 static void fill16(uint8_t *dst, int len)
diff --git a/libavutil/mem.h b/libavutil/mem.h
index 861029a..58c26b1 100644
--- a/libavutil/mem.h
+++ b/libavutil/mem.h
@@ -209,6 +209,8 @@ void av_freep(void *ptr);
  * In case of success, the pointer to the array is updated in order to
  * point to the new grown array, and the number pointed to by nb_ptr
  * is incremented.
+ * In case of failure, the array is freed, *tab_ptr is set to NULL and
+ * *nb_ptr is set to 0.
  *
  * @param tab_ptr pointer to the array to grow
  * @param nb_ptr  pointer to the number of elements in the array