@@ -79,6 +79,7 @@ static void speex_free (void *ptr) {free(ptr);}
7979
8080#include "stack_alloc.h"
8181#include <math.h>
82+ #include <limits.h>
8283
8384#ifndef M_PI
8485#define M_PI 3.14159265358979323846
@@ -639,15 +640,20 @@ static int update_filter(SpeexResamplerState *st)
639640 }
640641
641642 /* Choose the resampling type that requires the least amount of memory */
643+ use_direct =
642644#ifdef RESAMPLE_HUGEMEM
643- use_direct = st -> den_rate <= 16 * (st -> oversample + 8 );
645+ st -> den_rate <= 16 * (st -> oversample + 8 )
644646#else
645- use_direct = st -> filt_len * st -> den_rate <= st -> filt_len * st -> oversample + 8 ;
647+ st -> filt_len * st -> den_rate <= st -> filt_len * st -> oversample + 8
646648#endif
649+ && INT_MAX /sizeof (spx_word16_t )/st -> den_rate >= st -> filt_len ;
647650 if (use_direct )
648651 {
649652 min_sinc_table_length = st -> filt_len * st -> den_rate ;
650653 } else {
654+ if ((INT_MAX /sizeof (spx_word16_t )- 8 )/st -> oversample < st -> filt_len )
655+ goto fail ;
656+
651657 min_sinc_table_length = st -> filt_len * st -> oversample + 8 ;
652658 }
653659 if (st -> sinc_table_length < min_sinc_table_length )
@@ -694,16 +700,20 @@ static int update_filter(SpeexResamplerState *st)
694700 /*fprintf (stderr, "resampler uses interpolated sinc table and normalised cutoff %f\n", cutoff);*/
695701 }
696702
697-
698703 /* Here's the place where we update the filter memory to take into account
699704 the change in filter length. It's probably the messiest part of the code
700705 due to handling of lots of corner cases. */
706+
707+ /* Adding buffer_size to filt_len won't overflow here because filt_len
708+ could be multiplied by sizeof(spx_word16_t) above. */
701709 min_alloc_size = st -> filt_len - 1 + st -> buffer_size ;
702710 if (min_alloc_size > st -> mem_alloc_size )
703711 {
704- spx_word16_t * mem = (spx_word16_t * )speex_realloc (st -> mem , st -> nb_channels * min_alloc_size * sizeof (spx_word16_t ));
705- if (!mem )
706- goto fail ;
712+ spx_word16_t * mem ;
713+ if (INT_MAX /sizeof (spx_word16_t )/st -> nb_channels < min_alloc_size )
714+ goto fail ;
715+ else if (!(mem = (spx_word16_t * )speex_realloc (st -> mem , st -> nb_channels * min_alloc_size * sizeof (* mem ))))
716+ goto fail ;
707717
708718 st -> mem = mem ;
709719 st -> mem_alloc_size = min_alloc_size ;
0 commit comments