From 67e38cf47b7683586c24de18d8253029042dc72f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 7 Jul 2023 10:08:21 +0300
Subject: [PATCH] rmdemux: Check for integer overflow when calculation audio
 packet size

Fixes ZDI-CAN-21444
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2782

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072>
---
 subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c b/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
index a0e38ef1d6..981932675b 100644
--- a/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
+++ b/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
@@ -2007,6 +2007,7 @@ gst_rmdemux_descramble_audio (GstRMDemux * rmdemux, GstRMDemuxStream * stream)
   guint packet_size = stream->packet_size;
   guint height = stream->subpackets->len;
   guint leaf_size = stream->leaf_size;
+  guint size;
   guint p, x;
 
   g_assert (stream->height == height);
@@ -2014,7 +2015,12 @@ gst_rmdemux_descramble_audio (GstRMDemux * rmdemux, GstRMDemuxStream * stream)
   GST_LOG_OBJECT (rmdemux, "packet_size = %u, leaf_size = %u, height= %u",
       packet_size, leaf_size, height);
 
-  outbuf = gst_buffer_new_and_alloc (height * packet_size);
+  if (!g_uint_checked_mul (&size, height, packet_size)) {
+    GST_ERROR_OBJECT (rmdemux, "overflowing audio packet size");
+    return GST_FLOW_ERROR;
+  }
+
+  outbuf = gst_buffer_new_and_alloc (size);
   gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE);
 
   for (p = 0; p < height; ++p) {