Fix potential integer overflows in memory allocation.

Patch by Rich and me


git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@18559 b3059339-0415-0410-9bf9-f77b7e298cf2

1 files changed, 6 insertions, 1 deletions

diff --git a/libmpdemux/http.c b/libmpdemux/http.c
index 95ad075333..d175c9b8a3 100644
--- a/libmpdemux/http.c
+++ b/libmpdemux/http.c
@@ -315,6 +315,10 @@ int
 http_response_append( HTTP_header_t *http_hdr, char *response, int length ) {
 	if( http_hdr==NULL || response==NULL || length<0 ) return -1;
 
+	if( (unsigned)length > SIZE_MAX - http_hdr->buffer_size - 1) {
+		mp_msg(MSGT_NETWORK,MSGL_FATAL,"Bad size in memory (re)allocation\n");
+		return -1;
+	}
 	http_hdr->buffer = (char*)realloc( http_hdr->buffer, http_hdr->buffer_size+length+1 );
 	if( http_hdr->buffer==NULL ) {
 		mp_msg(MSGT_NETWORK,MSGL_FATAL,"Memory (re)allocation failed\n");
@@ -340,7 +344,8 @@ int
 http_response_parse( HTTP_header_t *http_hdr ) {
 	char *hdr_ptr, *ptr;
 	char *field=NULL;
-	int pos_hdr_sep, hdr_sep_len, len;
+	int pos_hdr_sep, hdr_sep_len;
+	size_t len;
 	if( http_hdr==NULL ) return -1;
 	if( http_hdr->is_parsed ) return 0;