PR #22993 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22993 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22993.patch
Fixes: integer overflow Found-by: Dhiraj Mishra <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> >From 58e5b81506dba62592a88f424af130994468f455 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Fri, 1 May 2026 21:33:25 +0200 Subject: [PATCH] avcodec/dfpwmdec: Check nb_samples Fixes: integer overflow Found-by: Dhiraj Mishra <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/dfpwmdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/dfpwmdec.c b/libavcodec/dfpwmdec.c index 4ddb806561..6a7a23e39d 100644 --- a/libavcodec/dfpwmdec.c +++ b/libavcodec/dfpwmdec.c @@ -101,15 +101,16 @@ static int dfpwm_dec_frame(struct AVCodecContext *ctx, AVFrame *frame, { DFPWMState *state = ctx->priv_data; int ret; + uint64_t nb_samples = packet->size * 8LL / ctx->ch_layout.nb_channels; if (packet->size * 8LL % ctx->ch_layout.nb_channels) return AVERROR_PATCHWELCOME; - frame->nb_samples = packet->size * 8LL / ctx->ch_layout.nb_channels; - if (frame->nb_samples <= 0) { + if (nb_samples > INT_MAX || !nb_samples) { av_log(ctx, AV_LOG_ERROR, "invalid number of samples in packet\n"); return AVERROR_INVALIDDATA; } + frame->nb_samples = nb_samples; if ((ret = ff_get_buffer(ctx, frame, 0)) < 0) return ret; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
