This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 537e87e3c2 avfilter/f_ebur128: avoid signed-int wrap when sizing
per-channel cache
537e87e3c2 is described below
commit 537e87e3c28b5c09d4ee9dcf17cee272dc97bc16
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu May 21 22:42:45 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Wed Jun 3 01:45:08 2026 +0000
avfilter/f_ebur128: avoid signed-int wrap when sizing per-channel cache
Fixes: integer overflow
Fixes: out of array access
Found-by: Claude (Anthropic), reported by Omkhar Arasaratnam
<[email protected]>.
---
libavfilter/f_ebur128.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/libavfilter/f_ebur128.c b/libavfilter/f_ebur128.c
index 46ff702e6b..e6c2132fca 100644
--- a/libavfilter/f_ebur128.c
+++ b/libavfilter/f_ebur128.c
@@ -445,15 +445,22 @@ static int config_audio_output(AVFilterLink *outlink)
if (!ebur128->ch_weighting || !ebur128->dsp.y || !ebur128->dsp.z)
return AVERROR(ENOMEM);
-#define I400_BINS(x) ((x) * 4 / 10)
+#define I400_BINS(x) ((x) * 2 / 5)
#define I3000_BINS(x) ((x) * 3)
+ if (outlink->sample_rate > INT_MAX/3U || outlink->sample_rate < 3)
+ return AVERROR(EINVAL);
+
ebur128->i400.cache_size = I400_BINS(outlink->sample_rate);
ebur128->i3000.cache_size = I3000_BINS(outlink->sample_rate);
+ size_t i400_count, i3000_count;
+ if (av_size_mult(nb_channels, ebur128->i400.cache_size, &i400_count) < 0
|| i400_count > INT_MAX ||
+ av_size_mult(nb_channels, ebur128->i3000.cache_size, &i3000_count) < 0
|| i3000_count > INT_MAX)
+ return AVERROR(EINVAL);
ebur128->i400.sum = av_calloc(nb_channels, sizeof(*ebur128->i400.sum));
ebur128->i3000.sum = av_calloc(nb_channels, sizeof(*ebur128->i3000.sum));
- ebur128->i400.cache = av_calloc(nb_channels * ebur128->i400.cache_size,
sizeof(*ebur128->i400.cache));
- ebur128->i3000.cache = av_calloc(nb_channels * ebur128->i3000.cache_size,
sizeof(*ebur128->i3000.cache));
+ ebur128->i400.cache = av_calloc(i400_count,
sizeof(*ebur128->i400.cache));
+ ebur128->i3000.cache = av_calloc(i3000_count,
sizeof(*ebur128->i3000.cache));
if (!ebur128->i400.sum || !ebur128->i3000.sum ||
!ebur128->i400.cache || !ebur128->i3000.cache)
return AVERROR(ENOMEM);
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
