This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new aafb5c655e avcodec/mace: reject sample counts that overflow int
aafb5c655e is described below
commit aafb5c655edc76a753275c383ebb139feb032718
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Jun 29 01:16:44 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Fri Jul 3 01:55:02 2026 +0000
avcodec/mace: reject sample counts that overflow int
Fixes: heap buffer overflow
Fixes: FmXBI2dbgvgD
Fixes: 0eea212943544d40f99b05571aa7159d78667154 (Add
avcodec_decode_audio4().)
Found-by: Adrian Junge (vurlo)
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/mace.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavcodec/mace.c b/libavcodec/mace.c
index 299e5f5cfe..87e802684a 100644
--- a/libavcodec/mace.c
+++ b/libavcodec/mace.c
@@ -252,7 +252,10 @@ static int mace_decode_frame(AVCodecContext *avctx,
AVFrame *frame,
}
/* get output buffer */
- frame->nb_samples = 3 * (buf_size << (1 - is_mace3)) / channels;
+ int64_t nb_samples = 3 * ((int64_t)buf_size << (1 - is_mace3)) / channels;
+ if (nb_samples > INT_MAX)
+ return AVERROR_INVALIDDATA;
+ frame->nb_samples = nb_samples;
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
return ret;
samples = (int16_t **)frame->extended_data;
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]