avcodec/speexdec: Check frames_per_packet more completely

Fixes: signed integer overflow: 2105344 * 539033345 cannot be represented in type 'int' Fixes: out of array write Fixes: 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480 Fixes: 40293/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-5219910217760768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2021-10-15 00:01:06 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2021-11-14 17:51:35 +0100
commit: 866ad2e95262606b194cb2e79ce8a7e63c32ce06 (patch)
tree: 1eeba0337b1a8114deafbfd41d1ce801ac0520a3 /libavcodec/speexdec.c
parent: 74e49cc583fbc6a0dd06f8f6eb1ba2f5f340d547 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
index 90e95f0785..e263d4c48c 100644
--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
@@ -1423,7 +1423,9 @@ static int parse_speex_extradata(AVCodecContext *avctx,
         return AVERROR_INVALIDDATA;
     s->vbr = bytestream_get_le32(&buf);
     s->frames_per_packet = bytestream_get_le32(&buf);
-    if (s->frames_per_packet <= 0)
+    if (s->frames_per_packet <= 0 ||
+        s->frames_per_packet > 64 ||
+        s->frames_per_packet >= INT32_MAX / s->nb_channels / s->frame_size)
         return AVERROR_INVALIDDATA;
     s->extra_headers = bytestream_get_le32(&buf);
author	Michael Niedermayer <michael@niedermayer.cc>	2021-10-15 00:01:06 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2021-11-14 17:51:35 +0100
commit	866ad2e95262606b194cb2e79ce8a7e63c32ce06 (patch)
tree	1eeba0337b1a8114deafbfd41d1ce801ac0520a3 /libavcodec/speexdec.c
parent	74e49cc583fbc6a0dd06f8f6eb1ba2f5f340d547 (diff)