This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new aafb5c655e avcodec/mace: reject sample counts that overflow int
aafb5c655e is described below

commit aafb5c655edc76a753275c383ebb139feb032718
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Mon Jun 29 01:16:44 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Fri Jul 3 01:55:02 2026 +0000

    avcodec/mace: reject sample counts that overflow int
    
    Fixes: heap buffer overflow
    Fixes: FmXBI2dbgvgD
    Fixes: 0eea212943544d40f99b05571aa7159d78667154 (Add 
avcodec_decode_audio4().)
    Found-by: Adrian Junge (vurlo)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/mace.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mace.c b/libavcodec/mace.c
index 299e5f5cfe..87e802684a 100644
--- a/libavcodec/mace.c
+++ b/libavcodec/mace.c
@@ -252,7 +252,10 @@ static int mace_decode_frame(AVCodecContext *avctx, 
AVFrame *frame,
     }
 
     /* get output buffer */
-    frame->nb_samples = 3 * (buf_size << (1 - is_mace3)) / channels;
+    int64_t nb_samples = 3 * ((int64_t)buf_size << (1 - is_mace3)) / channels;
+    if (nb_samples > INT_MAX)
+        return AVERROR_INVALIDDATA;
+    frame->nb_samples = nb_samples;
     if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
         return ret;
     samples = (int16_t **)frame->extended_data;

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to