refs: Check multiplication in alloc_frame() (PR #22990)

michaelni via ffmpeg-devel Fri, 01 May 2026 10:54:52 -0700

PR #22990 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22990
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22990.patch


Fixes: integer overflow on 32bit


>From dbf300fc7100ca6c3fac6be7476b3b9337e5c964 Mon Sep 17 00:00:00 2001
From: Niels Provos <[email protected]>
Date: Fri, 1 May 2026 19:48:16 +0200
Subject: [PATCH] avcodec/hevc/refs: Check multiplication in alloc_frame()

Fixes: integer overflow on 32bit
---
 libavcodec/hevc/refs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc/refs.c b/libavcodec/hevc/refs.c
index ccf7258ec4..1faede4e3d 100644
--- a/libavcodec/hevc/refs.c
+++ b/libavcodec/hevc/refs.c
@@ -162,7 +162,10 @@ static HEVCFrame *alloc_frame(HEVCContext *s, 
HEVCLayerContext *l)
         if (ret < 0)
             goto fail;
 
-        frame->rpl = av_refstruct_allocz(s->pkt.nb_nals * sizeof(*frame->rpl));
+        size_t rpl_bytes;
+        if (av_size_mult(s->pkt.nb_nals, sizeof(*frame->rpl), &rpl_bytes) < 0)
+            goto fail;
+        frame->rpl = av_refstruct_allocz(rpl_bytes);
         if (!frame->rpl)
             goto fail;
         frame->nb_rpl_elems = s->pkt.nb_nals;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-devel] [PR] avcodec/hevc/refs: Check multiplication in alloc_frame() (PR #22990)

Reply via email to