alac: fix integer overflow leading to subsequent out of array accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-11-10 17:41:56 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-11-10 17:42:35 +0100
commit: 3920d1387834e2bc334aff9f518f4beb24e470bd (patch)
tree: d02477a82aa0514be91d8bd20462011f88de20c4 /libavcodec/alac.c
parent: fd4f4923cce6a2cbf4f48640b4ac706e614a1594 (diff)
download: ffmpeg-3920d1387834e2bc334aff9f518f4beb24e470bd.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index f032ceb9cc..46c3a5b37b 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -542,7 +542,11 @@ static av_cold int alac_decode_close(AVCodecContext *avctx)
 static int allocate_buffers(ALACContext *alac)
 {
     int ch;
-    int buf_size = alac->max_samples_per_frame * sizeof(int32_t);
+    int buf_size;
+
+    if (alac->max_samples_per_frame > INT_MAX / sizeof(int32_t))
+        goto buf_alloc_fail;
+    buf_size = alac->max_samples_per_frame * sizeof(int32_t);
 
     for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) {
         FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch],
author	Michael Niedermayer <michaelni@gmx.at>	2012-11-10 17:41:56 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-11-10 17:42:35 +0100
commit	3920d1387834e2bc334aff9f518f4beb24e470bd (patch)
tree	d02477a82aa0514be91d8bd20462011f88de20c4 /libavcodec/alac.c
parent	fd4f4923cce6a2cbf4f48640b4ac706e614a1594 (diff)
download	ffmpeg-3920d1387834e2bc334aff9f518f4beb24e470bd.tar.gz