avcodec/truespeech: reject iterations count whose * 240 product overflows 32-bit
authorDavid Korczynski <david@adalogics.com>
Sat, 6 Jun 2026 14:23:27 +0000 (16:23 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 13 Jun 2026 23:28:20 +0000 (01:28 +0200)
Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d30dead35e7fecae51ccd4602273153c87b1bbd9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/truespeech.c

index 272fc43deb4c981a3c5aaadfedb38b6eee817b88..2d031e642ca9d54c68c6e3f4674b087aca286d85 100644 (file)
@@ -323,6 +323,11 @@ static int truespeech_decode_frame(AVCodecContext *avctx, void *data,
                "Too small input buffer (%d bytes), need at least 32 bytes\n", buf_size);
         return -1;
     }
+    if (iterations > INT_MAX / 240) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Too large input buffer (%d bytes); per-block sample count overflows\n", buf_size);
+        return AVERROR_INVALIDDATA;
+    }
 
     /* get output buffer */
     frame->nb_samples = iterations * 240;