This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 5fb7b6fc456715e05de025853aaefdcb843445ae Author: David Korczynski <[email protected]> AuthorDate: Thu May 21 05:56:17 2026 -0700 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:59:11 2026 +0200 avcodec/fastaudio: reject subframes count whose * 256 product overflows 32-bit fastaudio_decode() computes subframes = pkt->size / (40 * channels); frame->nb_samples = subframes * 256; both as 32-bit signed multiplications. When pkt->size is large enough to make subframes >= 2^24, the second multiplication overflows the signed int range and frame->nb_samples wraps to a small value. ff_get_buffer() then sizes the audio plane for that wrapped sample count, while the decoder loop at line 152 still iterates the full (unwrapped) subframes count, performing a 1024-byte memcpy per subframe per channel. The 27th iteration (or first iteration with nb_samples=0) writes one byte past the per-plane allocation, yielding the ASan heap-buffer-overflow WRITE at libavcodec/fastaudio .c:171 reported as ANT-2026-03891. Reject the subframes value whose *256 product would overflow before performing the multiplication. The bound INT_MAX / 256 (= 8388607) keeps the existing two's-complement semantics of every reachable input and rejects only the configurations that would have wrapped. Reproducer: a crafted AVI declaring one mono audio chunk of 671_088_680 bytes (sparse) with the decoder forced via 'ffmpeg -c:a fastaudio -i evil.avi'. Found-by: Anthropic agents; validated and reported by Ada Logics. Signed-off-by: David Korczynski <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 1e9984772b6ef878d3ae4a58e01d6a6d63a61bd7) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/fastaudio.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fastaudio.c b/libavcodec/fastaudio.c index ee31a06f18..a880027156 100644 --- a/libavcodec/fastaudio.c +++ b/libavcodec/fastaudio.c @@ -113,6 +113,8 @@ static int fastaudio_decode(AVCodecContext *avctx, AVFrame *frame, int ret; subframes = pkt->size / (40 * avctx->ch_layout.nb_channels); + if (subframes <= 0 || subframes > INT_MAX / 256) + return AVERROR_INVALIDDATA; frame->nb_samples = subframes * 256; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
