avcodec/truespeech: reject iterations count whose * 240 product overflows 32-bit

Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
David Korczynski
2026-06-11 13:58:45 +00:00
committed by michaelni
co-authored by michaelni
parent b29bdd3715
commit d30dead35e
+5
View File
@@ -323,6 +323,11 @@ static int truespeech_decode_frame(AVCodecContext *avctx, AVFrame *frame,
"Too small input buffer (%d bytes), need at least 32 bytes\n", buf_size);
return -1;
}
if (iterations > INT_MAX / 240) {
av_log(avctx, AV_LOG_ERROR,
"Too large input buffer (%d bytes); per-block sample count overflows\n", buf_size);
return AVERROR_INVALIDDATA;
}
/* get output buffer */
frame->nb_samples = iterations * 240;