lavu/mem: fix potential int overflow and crash in av_dynarray_add()

Also extend documentation accordingly.

1 files changed, 12 insertions, 2 deletions

diff --git a/libavutil/mem.c b/libavutil/mem.c
index cfa4cbd57a..03bf2c8607 100644
--- a/libavutil/mem.c
+++ b/libavutil/mem.c
@@ -249,15 +249,25 @@ void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem)
     nb = *nb_ptr;
     tab = *(intptr_t**)tab_ptr;
     if ((nb & (nb - 1)) == 0) {
-        if (nb == 0)
+        if (nb == 0) {
             nb_alloc = 1;
-        else
+        } else {
+            if (nb > INT_MAX / (2 * sizeof(intptr_t)))
+                goto fail;
             nb_alloc = nb * 2;
+        }
         tab = av_realloc(tab, nb_alloc * sizeof(intptr_t));
+        if (!tab)
+            goto fail;
         *(intptr_t**)tab_ptr = tab;
     }
     tab[nb++] = (intptr_t)elem;
     *nb_ptr = nb;
+    return;
+
+fail:
+    av_freep(tab_ptr);
+    *nb_ptr = 0;
 }
 
 static void fill16(uint8_t *dst, int len)