From 5f64f6058e0c23641a68ce7dfe47b1f55efd401c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 21 Jun 2019 00:47:17 +0200 Subject: [PATCH] avcodec/alsdec: Fix integer overflow with buffer number Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 4b69775414..e38d7b21d3 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -1993,6 +1993,8 @@ static av_cold int decode_init(AVCodecContext *avctx) // allocate quantized parcor coefficient buffer num_buffers = sconf->mc_coding ? avctx->channels : 1; + if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation + return AVERROR_INVALIDDATA; ctx->quant_cof = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof)); ctx->lpc_cof = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof));