avcodec/alsdec: Fix integer overflow with buffer number

Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-06-21 00:47:17 +02:00 · 2019-06-21 00:47:17 +02:00 · 5f64f6058e
commit 5f64f6058e
parent 7f527021df
1 changed files with 2 additions and 0 deletions
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@ -1993,6 +1993,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

    // allocate quantized parcor coefficient buffer
    num_buffers = sconf->mc_coding ? avctx->channels : 1;
+    if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation
+        return AVERROR_INVALIDDATA;

    ctx->quant_cof        = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof));
    ctx->lpc_cof          = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof));