This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 1b3eab8e9c7543dc8a80df386576b28ae7a4030a Author: Michael Niedermayer <[email protected]> AuthorDate: Thu May 21 22:42:45 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:59:07 2026 +0200 avfilter/f_ebur128: avoid signed-int wrap when sizing per-channel cache Fixes: integer overflow Fixes: out of array access Found-by: Claude (Anthropic), reported by Omkhar Arasaratnam <[email protected]>. (cherry picked from commit 537e87e3c28b5c09d4ee9dcf17cee272dc97bc16) Signed-off-by: Michael Niedermayer <[email protected]> --- libavfilter/f_ebur128.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavfilter/f_ebur128.c b/libavfilter/f_ebur128.c index 84d8e44035..4132fa3cfe 100644 --- a/libavfilter/f_ebur128.c +++ b/libavfilter/f_ebur128.c @@ -445,15 +445,22 @@ static int config_audio_output(AVFilterLink *outlink) if (!ebur128->ch_weighting || !ebur128->dsp.y || !ebur128->dsp.z) return AVERROR(ENOMEM); -#define I400_BINS(x) ((x) * 4 / 10) +#define I400_BINS(x) ((x) * 2 / 5) #define I3000_BINS(x) ((x) * 3) + if (outlink->sample_rate > INT_MAX/3U || outlink->sample_rate < 3) + return AVERROR(EINVAL); + ebur128->i400.cache_size = I400_BINS(outlink->sample_rate); ebur128->i3000.cache_size = I3000_BINS(outlink->sample_rate); + size_t i400_count, i3000_count; + if (av_size_mult(nb_channels, ebur128->i400.cache_size, &i400_count) < 0 || i400_count > INT_MAX || + av_size_mult(nb_channels, ebur128->i3000.cache_size, &i3000_count) < 0 || i3000_count > INT_MAX) + return AVERROR(EINVAL); ebur128->i400.sum = av_calloc(nb_channels, sizeof(*ebur128->i400.sum)); ebur128->i3000.sum = av_calloc(nb_channels, sizeof(*ebur128->i3000.sum)); - ebur128->i400.cache = av_calloc(nb_channels * ebur128->i400.cache_size, sizeof(*ebur128->i400.cache)); - ebur128->i3000.cache = av_calloc(nb_channels * ebur128->i3000.cache_size, sizeof(*ebur128->i3000.cache)); + ebur128->i400.cache = av_calloc(i400_count, sizeof(*ebur128->i400.cache)); + ebur128->i3000.cache = av_calloc(i3000_count, sizeof(*ebur128->i3000.cache)); if (!ebur128->i400.sum || !ebur128->i3000.sum || !ebur128->i400.cache || !ebur128->i3000.cache) return AVERROR(ENOMEM); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
