[FFmpeg-devel] [PR] avcodec/on2avc: reject subframe count whose * SUBFRAME_SIZE product overflows 32-bit (PR #23353)

[michaelni via ffmpeg-devel]

PR #23353 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23353
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23353.patch

Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <da...@adalogics.com>




>From 8f8de7d201834a78aa055a2fbdbdbc0964800704 Mon Sep 17 00:00:00 2001
From: David Korczynski <da...@adalogics.com>
Date: Fri, 5 Jun 2026 00:14:06 +0200
Subject: [PATCH] avcodec/on2avc: reject subframe count whose * SUBFRAME_SIZE
 product overflows 32-bit

Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <da...@adalogics.com>
---
 libavcodec/on2avc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c
index 0a912cc30b..41ada55e1a 100644
--- a/libavcodec/on2avc.c
+++ b/libavcodec/on2avc.c
@@ -866,6 +866,12 @@ static int on2avc_decode_frame(AVCodecContext * avctx, 
AVFrame *frame,
             av_log(avctx, AV_LOG_ERROR, "No subframes present\n");
             return AVERROR_INVALIDDATA;
         }
+        if (num_frames > INT_MAX / ON2AVC_SUBFRAME_SIZE) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Too many subframes (%d); per-frame sample count 
overflows\n",
+                   num_frames);
+            return AVERROR_INVALIDDATA;
+        }
 
         /* get output buffer */
         frame->nb_samples = ON2AVC_SUBFRAME_SIZE * num_frames;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-le...@ffmpeg.org