@@ -1276,7 +1276,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size)
/* reallocate buffer if needed */
new_size = (unsigned)d->pos + buf_size;
- if (new_size < d->pos || new_size > INT_MAX/2)
+ if (new_size < d->pos || new_size > INT_MAX)
return -1;
if (new_size > d->allocated_size) {
unsigned new_allocated_size = d->allocated_size ? d->allocated_size
@@ -1285,6 +1285,8 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size)
while (new_size > new_allocated_size)
new_allocated_size += new_allocated_size / 2 + 1;
+ new_allocated_size = FFMIN(new_allocated_size, INT_MAX);
+
if ((err = av_reallocp(&d->buffer, new_allocated_size)) < 0) {
d->allocated_size = 0;
d->size = 0;
This has originally been done in 568e18b15e2ddf494fd8926707d34ca08c8edce5 as a precaution against integer overflows, but it is actually easy to support the full range of int without overflows. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavformat/aviobuf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)