avcodec/hashtable: Check for overflow

Reviewed-by: Emma Worley <emma@emma.gg> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
author: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> 2025-06-03 22:35:03 +0200
committer: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> 2025-06-04 15:13:55 +0200
commit: 2e45d2f7d38acb1c37042d994f15e4c66da601fe (patch)
tree: ab4820d0a83d9bd995a19cc3d76aa0dda8980c6e
parent: 1e6fdafce07a85f123e4b7afe31d38d937a253b7 (diff)
download: ffmpeg-2e45d2f7d38acb1c37042d994f15e4c66da601fe.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/hashtable.c b/libavcodec/hashtable.c
index fa79330603..ec8eca471f 100644
--- a/libavcodec/hashtable.c
+++ b/libavcodec/hashtable.c
@@ -56,12 +56,18 @@ struct FFHashtableContext {
 
 int ff_hashtable_alloc(struct FFHashtableContext **ctx, size_t key_size, size_t val_size, size_t max_entries)
 {
+    const size_t keyval_size = key_size + val_size;
+
+    if (keyval_size < key_size || // did (unsigned,defined) wraparound happen?
+        keyval_size > SIZE_MAX - sizeof(size_t) - (ALIGN - 1))
+        return AVERROR(ERANGE);
+
     FFHashtableContext *res = av_mallocz(sizeof(*res));
     if (!res)
         return AVERROR(ENOMEM);
     res->key_size = key_size;
     res->val_size = val_size;
-    res->entry_size = FFALIGN(sizeof(size_t) + key_size + val_size, ALIGN);
+    res->entry_size = FFALIGN(sizeof(size_t) + keyval_size, ALIGN);
     res->max_entries = max_entries;
     res->nb_entries = 0;
     res->crc = av_crc_get_table(AV_CRC_32_IEEE);
author	Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2025-06-03 22:35:03 +0200
committer	Andreas Rheinhardt <andreas.rheinhardt@outlook.com>	2025-06-04 15:13:55 +0200
commit	2e45d2f7d38acb1c37042d994f15e4c66da601fe (patch)
tree	ab4820d0a83d9bd995a19cc3d76aa0dda8980c6e
parent	1e6fdafce07a85f123e4b7afe31d38d937a253b7 (diff)
download	ffmpeg-2e45d2f7d38acb1c37042d994f15e4c66da601fe.tar.gz