MemIOCallback: fix buffer overflow when writing too much data

If the addition of 2 positive values is smaller than one of the values then we have an overflowing addition. In this case we will not be able to allocate that much, just return a size written as 0. (cherry picked from commit 2d5c11c) Signed-off-by: Steve Lhomme <slhomme@matroska.org>
Matroska-Org · Nov 4, 2023 · f3249a7 · f3249a7
1 parent 4c0d757
commit f3249a7
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/MemIOCallback.cpp b/src/MemIOCallback.cpp
@@ -96,6 +96,8 @@ void MemIOCallback::setFilePointer(int64 Offset, seek_mode Mode)
 
 size_t MemIOCallback::write(const void *Buffer, size_t Size)
 {
+  if (dataBufferPos + Size < Size) // overflow, we can't hold that much
+    return 0;
   if (dataBufferMemorySize < dataBufferPos + Size) {
     //We need more memory!
     dataBuffer = static_cast<binary *>(realloc(static_cast<void *>(dataBuffer), dataBufferPos + Size));
@@ -110,6 +112,8 @@ size_t MemIOCallback::write(const void *Buffer, size_t Size)
 
 uint32 MemIOCallback::write(IOCallback & IOToRead, size_t Size)
 {
+  if (dataBufferPos + Size < Size) // overflow, we can't hold that much
+    return 0;
   if (dataBufferMemorySize < dataBufferPos + Size) {
     //We need more memory!
     dataBuffer = static_cast<binary *>(realloc(static_cast<void *>(dataBuffer), dataBufferPos + Size));