avcodec/alsdec: Fix integer overflow with buffer number

Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/alsdec: Fix integer overflow with buffer number
Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int' Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
5f64f605 · Michael Niedermayer · 7f527021 · 5f64f605
Commit 5f64f605 authored Jun 20, 2019 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

alsdec.c libavcodec/alsdec.c +2 -0

No files found.
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1993,6 +1993,8 @@ static av_cold int decode_init(AVCodecContext *avctx)

    // allocate quantized parcor coefficient buffer
    num_buffers = sconf->mc_coding ? avctx->channels : 1;
+    if (num_buffers * (uint64_t)num_buffers > INT_MAX) // protect chan_data_buffer allocation
+        return AVERROR_INVALIDDATA;

    ctx->quant_cof        = av_malloc_array(num_buffers, sizeof(*ctx->quant_cof));
    ctx->lpc_cof          = av_malloc_array(num_buffers, sizeof(*ctx->lpc_cof));