PR #23197 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23197 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23197.patch
Fixes: integer overflow Fixes: out of array access Found-by: Claude (Anthropic), reported by Omkhar Arasaratnam <[email protected]>. >From b8cec2c36b877caf65e8705333993569b97a6a3a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Thu, 21 May 2026 22:42:45 +0200 Subject: [PATCH] avfilter/f_ebur128: avoid signed-int wrap when sizing per-channel cache Fixes: integer overflow Fixes: out of array access Found-by: Claude (Anthropic), reported by Omkhar Arasaratnam <[email protected]>. --- libavfilter/f_ebur128.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavfilter/f_ebur128.c b/libavfilter/f_ebur128.c index 46ff702e6b..a0145b9ec6 100644 --- a/libavfilter/f_ebur128.c +++ b/libavfilter/f_ebur128.c @@ -450,10 +450,14 @@ static int config_audio_output(AVFilterLink *outlink) ebur128->i400.cache_size = I400_BINS(outlink->sample_rate); ebur128->i3000.cache_size = I3000_BINS(outlink->sample_rate); + size_t i400_count, i3000_count; + if (av_size_mult(nb_channels, ebur128->i400.cache_size, &i400_count) < 0 || + av_size_mult(nb_channels, ebur128->i3000.cache_size, &i3000_count) < 0) + return AVERROR(EINVAL); ebur128->i400.sum = av_calloc(nb_channels, sizeof(*ebur128->i400.sum)); ebur128->i3000.sum = av_calloc(nb_channels, sizeof(*ebur128->i3000.sum)); - ebur128->i400.cache = av_calloc(nb_channels * ebur128->i400.cache_size, sizeof(*ebur128->i400.cache)); - ebur128->i3000.cache = av_calloc(nb_channels * ebur128->i3000.cache_size, sizeof(*ebur128->i3000.cache)); + ebur128->i400.cache = av_calloc(i400_count, sizeof(*ebur128->i400.cache)); + ebur128->i3000.cache = av_calloc(i3000_count, sizeof(*ebur128->i3000.cache)); if (!ebur128->i400.sum || !ebur128->i3000.sum || !ebur128->i400.cache || !ebur128->i3000.cache) return AVERROR(ENOMEM); -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
