This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 1e9984772b avcodec/fastaudio: reject subframes count whose * 256
product overflows 32-bit
1e9984772b is described below
commit 1e9984772b6ef878d3ae4a58e01d6a6d63a61bd7
Author: David Korczynski <[email protected]>
AuthorDate: Thu May 21 05:56:17 2026 -0700
Commit: michaelni <[email protected]>
CommitDate: Sat Jun 6 21:32:08 2026 +0000
avcodec/fastaudio: reject subframes count whose * 256 product overflows
32-bit
fastaudio_decode() computes
subframes = pkt->size / (40 * channels);
frame->nb_samples = subframes * 256;
both as 32-bit signed multiplications. When pkt->size is large enough
to make subframes >= 2^24, the second multiplication overflows the
signed int range and frame->nb_samples wraps to a small value.
ff_get_buffer() then sizes the audio plane for that wrapped sample
count, while the decoder loop at line 152 still iterates the full
(unwrapped) subframes count, performing a 1024-byte memcpy per
subframe per channel. The 27th iteration (or first iteration with
nb_samples=0) writes one byte past the per-plane allocation,
yielding the ASan heap-buffer-overflow WRITE at libavcodec/fastaudio
.c:171 reported as ANT-2026-03891.
Reject the subframes value whose *256 product would overflow before
performing the multiplication. The bound INT_MAX / 256 (= 8388607)
keeps the existing two's-complement semantics of every reachable
input and rejects only the configurations that would have wrapped.
Reproducer: a crafted AVI declaring one mono audio chunk of
671_088_680 bytes (sparse) with the decoder forced via
'ffmpeg -c:a fastaudio -i evil.avi'.
Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/fastaudio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/fastaudio.c b/libavcodec/fastaudio.c
index d361b410b9..bab3cb738b 100644
--- a/libavcodec/fastaudio.c
+++ b/libavcodec/fastaudio.c
@@ -113,6 +113,8 @@ static int fastaudio_decode(AVCodecContext *avctx, AVFrame
*frame,
int ret;
subframes = pkt->size / (40 * avctx->ch_layout.nb_channels);
+ if (subframes <= 0 || subframes > INT_MAX / 256)
+ return AVERROR_INVALIDDATA;
frame->nb_samples = subframes * 256;
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
return ret;
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
