From 2ccb8a7d8858397f4d639d8b83d035d1451eb1ac Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 23 Apr 2026 16:44:10 +0200
Subject: [PATCH] security: fix integer overflow in DSF file buffer allocation

Memory Safety: High

When parsing a DSF audio file, blocksize and channels are read as
uint32_t from untrusted file data and multiplied together for the
buffer allocation. A malicious file could set these to values whose
product overflows, resulting in a small allocation followed by
out-of-bounds writes when the buffer is filled.

Add overflow checking before the multiplication and validate that
neither value is zero. Also use calloc(channels, blocksize) instead
of calloc(1, blocksize * channels) to let calloc perform its own
internal overflow check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/tools/dsffile.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/tools/dsffile.c b/src/tools/dsffile.c
index 757962e22..9118baafa 100644
--- a/src/tools/dsffile.c
+++ b/src/tools/dsffile.c
@@ -3,6 +3,7 @@
 /* SPDX-License-Identifier: MIT */
 
 #include <errno.h>
+#include <stdint.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -95,7 +96,10 @@ static int read_fmt(struct dsf_file *f)
 	if (size > s)
 		f_skip(f, size - s);
 
-	f->buffer = calloc(1, f->info.blocksize * f->info.channels);
+	if (f->info.blocksize == 0 || f->info.channels == 0 ||
+	    f->info.channels > SIZE_MAX / f->info.blocksize)
+		return -EINVAL;
+	f->buffer = calloc(f->info.channels, f->info.blocksize);
 	if (f->buffer == NULL)
 		return -errno;