alac: fix integer overflow leading to subsequent out of array accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

alac: fix integer overflow leading to subsequent out of array accesses.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
3920d138 · Michael Niedermayer · fd4f4923 · 3920d138
Commit 3920d138 authored Nov 10, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

alac.c libavcodec/alac.c +5 -1

No files found.
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -542,7 +542,11 @@ static av_cold int alac_decode_close(AVCodecContext *avctx)
 static int allocate_buffers(ALACContext *alac)
 {
    int ch;
-    int buf_size = alac->max_samples_per_frame * sizeof(int32_t);
+    int buf_size;
+
+    if (alac->max_samples_per_frame > INT_MAX / sizeof(int32_t))
+        goto buf_alloc_fail;
+    buf_size = alac->max_samples_per_frame * sizeof(int32_t);

    for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) {
        FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch],