From a0f5c4153f50c9f7b6efb9d3edeb9faf27c74c08 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Thu, 3 Jul 2025 19:31:48 +0200 Subject: [PATCH] builder: avoid oveflow --- spa/include/spa/pod/builder.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/spa/include/spa/pod/builder.h b/spa/include/spa/pod/builder.h index abfaa8aaa..2e3f5982a 100644 --- a/spa/include/spa/pod/builder.h +++ b/spa/include/spa/pod/builder.h @@ -135,8 +135,12 @@ SPA_API_POD_BUILDER int spa_pod_builder_raw(struct spa_pod_builder *builder, con struct spa_pod_frame *f; uint32_t offset = builder->state.offset; size_t data_offset = -1; + uint64_t total_size = offset + (uint64_t) size; + + if (total_size > builder->size) { + if (total_size > UINT32_MAX) + return -ENOSPC; - if (offset + size > builder->size) { /* data could be inside the data we will realloc */ if (spa_ptrinside(builder->data, builder->size, data, size, NULL)) data_offset = SPA_PTRDIFF(data, builder->data); @@ -145,7 +149,7 @@ SPA_API_POD_BUILDER int spa_pod_builder_raw(struct spa_pod_builder *builder, con if (offset <= builder->size) spa_callbacks_call_res(&builder->callbacks, struct spa_pod_builder_callbacks, res, - overflow, 0, offset + size); + overflow, 0, total_size); } if (res == 0 && data) { if (data_offset != (size_t) -1) @@ -154,7 +158,7 @@ SPA_API_POD_BUILDER int spa_pod_builder_raw(struct spa_pod_builder *builder, con memcpy(SPA_PTROFF(builder->data, offset, void), data, size); } - builder->state.offset += size; + builder->state.offset = total_size; for (f = builder->state.frame; f ; f = f->parent) f->pod.size += size;