From b268b27cd8ff0dda1fda71890cd414f4cb2096db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Fri, 7 Jul 2023 09:59:20 +0300
Subject: [PATCH] rmdemux: Check for integer overflows when calculating the
 size of SIPR audio buffers

Fixes ZDI-CAN-21443
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2782

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5072>
---
 subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c b/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
index 473aebe075..eaee9acdd1 100644
--- a/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
+++ b/subprojects/gst-plugins-ugly/gst/realmedia/rmdemux.c
@@ -2144,6 +2144,7 @@ gst_rmdemux_descramble_sipr_audio (GstRMDemux * rmdemux,
   GstMapInfo outmap;
   guint packet_size = stream->packet_size;
   guint height = stream->subpackets->len;
+  guint size;
   guint p;
 
   g_assert (stream->height == height);
@@ -2151,7 +2152,12 @@ gst_rmdemux_descramble_sipr_audio (GstRMDemux * rmdemux,
   GST_LOG_OBJECT (rmdemux, "packet_size = %u, leaf_size = %u, height= %u",
       packet_size, stream->leaf_size, height);
 
-  outbuf = gst_buffer_new_and_alloc (height * packet_size);
+  if (!g_uint_checked_mul (&size, height, packet_size)) {
+    GST_ERROR_OBJECT (rmdemux, "overflowing SIPR audio packet size");
+    return GST_FLOW_ERROR;
+  }
+
+  outbuf = gst_buffer_new_and_alloc (size);
   gst_buffer_map (outbuf, &outmap, GST_MAP_WRITE);
 
   for (p = 0; p < height; ++p) {