Remove redundant post-multiplication overflow check and free the old buffer if

rootvector2 · rootvector2 · commit 8731e7e7971a · 2026-02-07T11:53:31.000+05:30
avifAlloc() fails while resizing the array
diff --git a/src/utils.c b/src/utils.c
@@ -5,7 +5,6 @@
 
 #include <assert.h>
 #include <math.h>
-#include <stdint.h>
 #include <string.h>
 
 float avifRoundf(float v)
@@ -90,11 +89,6 @@ avifBool avifArrayCreate(void * arrayStruct, uint32_t elementSize, uint32_t init
     arr->elementSize = elementSize ? elementSize : 1;
     arr->count = 0;
     arr->capacity = initialCapacity;
-    if (arr->capacity > SIZE_MAX / arr->elementSize) {
-        arr->ptr = NULL;
-        arr->capacity = 0;
-        return AVIF_FALSE;
-    }
     size_t byteCount = (size_t)arr->elementSize * arr->capacity;
     arr->ptr = (uint8_t *)avifAlloc(byteCount);
     if (!arr->ptr) {
@@ -111,27 +105,22 @@ void * avifArrayPush(void * arrayStruct)
     if (arr->count == arr->capacity) {
         uint8_t * oldPtr = arr->ptr;
         size_t oldByteCount = (size_t)arr->elementSize * arr->capacity;
-        
+
         // Check for overflow before doubling the allocation size
         // If oldByteCount > SIZE_MAX/2, then oldByteCount * 2 would overflow
         if (oldByteCount > SIZE_MAX / 2) {
-            // Cannot safely double the allocation size
             return NULL;
         }
-        
+
         size_t newByteCount = oldByteCount * 2;
-        
-        // Additional safety check: verify the multiplication didn't overflow
-        if (newByteCount < oldByteCount) {
-            // Overflow occurred despite the check (shouldn't happen, but defense in depth)
-            return NULL;
-        }
-        
-        arr->ptr = (uint8_t *)avifAlloc(newByteCount);
-        if (arr->ptr == NULL) {
-            arr->ptr = oldPtr;
+
+        uint8_t * newPtr = (uint8_t *)avifAlloc(newByteCount);
+        if (newPtr == NULL) {
+            avifFree(oldPtr);
             return NULL;
         }
+
+        arr->ptr = newPtr;
         memset(arr->ptr + oldByteCount, 0, oldByteCount);
         memcpy(arr->ptr, oldPtr, oldByteCount);
         arr->capacity *= 2;
