From 7dee2c158ffd8f2e2fe0b70e99b69b5dee9cda84 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 12:39:37 +0200 Subject: [PATCH] security: fix integer overflow in netjack2 opus encoded size calculation Cast the denominator to uint64_t to prevent sample_rate * 8 from overflowing uint32_t, which could produce a tiny denominator and an inflated max_encoded_size. Co-Authored-By: Claude Opus 4.7 --- src/modules/module-netjack2/peer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/module-netjack2/peer.c b/src/modules/module-netjack2/peer.c index a2171b430..f7a4f2b9b 100644 --- a/src/modules/module-netjack2/peer.c +++ b/src/modules/module-netjack2/peer.c @@ -173,7 +173,7 @@ static int netjack2_init(struct netjack2_peer *peer) goto error_errno; } peer->max_encoded_size = ((uint64_t)peer->params.kbps * peer->params.period_size * 1024) / - (peer->params.sample_rate * 8) + sizeof(uint16_t); + ((uint64_t)peer->params.sample_rate * 8) + sizeof(uint16_t); if (spa_overflow_mul(peer->max_encoded_size, max_audio_ch, &peer->encoded_size)) { errno = EINVAL; goto error_errno;