[FFmpeg-cvslog] alac: fix integer overflow leading to subsequent out of array accesses.

[Michael Niedermayer]

ffmpeg | branch: release/1.0 | Michael Niedermayer <michaelni at gmx.at> | Sat Nov 10 17:41:56 2012 +0100| [c8c9740ee1ea4a4f857a24b1ce05dcd07b72ec2d] | committer: Michael Niedermayer

alac: fix integer overflow leading to subsequent out of array accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 3920d1387834e2bc334aff9f518f4beb24e470bd)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c8c9740ee1ea4a4f857a24b1ce05dcd07b72ec2d
---

 libavcodec/alac.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index e8e844a..6e72bb6 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -542,7 +542,11 @@ static av_cold int alac_decode_close(AVCodecContext *avctx)
 static int allocate_buffers(ALACContext *alac)
 {
     int ch;
-    int buf_size = alac->max_samples_per_frame * sizeof(int32_t);
+    int buf_size;
+
+    if (alac->max_samples_per_frame > INT_MAX / sizeof(int32_t))
+        goto buf_alloc_fail;
+    buf_size = alac->max_samples_per_frame * sizeof(int32_t);
 
     for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) {
         FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch],