From b3415e4c5f9205820fd6c9211ad50a4df2692a36 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 11 Jul 2015 22:47:09 +0200
Subject: avutil/mem: Fix potential overflow in overallocation code

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavutil/mem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libavutil')

diff --git a/libavutil/mem.c b/libavutil/mem.c
index da291fb970..d828cccb1a 100644
--- a/libavutil/mem.c
+++ b/libavutil/mem.c
@@ -480,7 +480,7 @@ void *av_fast_realloc(void *ptr, unsigned int *size, size_t min_size)
     if (min_size < *size)
         return ptr;
 
-    min_size = FFMAX(17 * min_size / 16 + 32, min_size);
+    min_size = FFMAX(min_size + min_size / 16 + 32, min_size);
 
     ptr = av_realloc(ptr, min_size);
     /* we could set this to the unmodified min_size but this is safer
@@ -500,7 +500,7 @@ static inline int ff_fast_malloc(void *ptr, unsigned int *size, size_t min_size,
 
     if (min_size < *size)
         return 0;
-    min_size = FFMAX(17 * min_size / 16 + 32, min_size);
+    min_size = FFMAX(min_size + min_size / 16 + 32, min_size);
     av_freep(ptr);
     val = zero_realloc ? av_mallocz(min_size) : av_malloc(min_size);
     memcpy(ptr, &val, sizeof(val));
-- 
cgit v1.2.3