overflow: fix some more potential overflows

spa/plugins/audioconvert/audioconvert.c

@@ -14,6 +14,7 @@
 #include <spa/support/loop.h>
 #include <spa/support/log.h>
 #include <spa/support/plugin-loader.h>
+#include <spa/utils/overflow.h>
 #include <spa/utils/result.h>
 #include <spa/utils/list.h>
 #include <spa/utils/json.h>
@@ -1285,24 +1286,28 @@ static int ensure_tmp(struct impl *this)
 	uint32_t maxsize = this->maxsize, maxports = this->maxports;
 	uint32_t i;
 	float *empty, *scratch, *tmp[2];
+	size_t alloc_size;
+
+	if (spa_overflow_add((size_t)maxsize, (size_t)MAX_ALIGN, &alloc_size))
+		return -ENOMEM;
 
 	if (maxsize > this->scratch_size) {
 		spa_log_info(this->log, "resize tmp %d -> %d", this->scratch_size, maxsize);
 
-		if ((empty = realloc(this->empty, maxsize + MAX_ALIGN)) != NULL)
+		if ((empty = realloc(this->empty, alloc_size)) != NULL)
 			this->empty = empty;
-		if ((scratch = realloc(this->scratch, maxsize + MAX_ALIGN)) != NULL)
+		if ((scratch = realloc(this->scratch, alloc_size)) != NULL)
 			this->scratch = scratch;
 		if (empty == NULL || scratch == NULL) {
 			free_tmp(this);
 			return -ENOMEM;
 		}
-		memset(this->empty, 0, maxsize + MAX_ALIGN);
+		memset(this->empty, 0, alloc_size);
 
 		for (i = 0; i < this->scratch_ports; i++) {
-			if ((tmp[0] = realloc(this->tmp[0][i], maxsize + MAX_ALIGN)) != NULL)
+			if ((tmp[0] = realloc(this->tmp[0][i], alloc_size)) != NULL)
 				this->tmp[0][i] = tmp[0];
-			if ((tmp[1] = realloc(this->tmp[1][i], maxsize + MAX_ALIGN)) != NULL)
+			if ((tmp[1] = realloc(this->tmp[1][i], alloc_size)) != NULL)
 				this->tmp[1][i] = tmp[1];
 			if (tmp[0] == NULL || tmp[1] == NULL) {
 				free_tmp(this);
@@ -1317,9 +1322,9 @@ static int ensure_tmp(struct impl *this)
 		spa_log_info(this->log, "resize ports %d -> %d", this->scratch_ports, maxports);
 
 		for (i = this->scratch_ports; i < maxports; i++) {
-			if ((tmp[0] = malloc(maxsize + MAX_ALIGN)) != NULL)
+			if ((tmp[0] = malloc(alloc_size)) != NULL)
 				this->tmp[0][i] = tmp[0];
-			if ((tmp[1] = malloc(maxsize + MAX_ALIGN)) != NULL)
+			if ((tmp[1] = malloc(alloc_size)) != NULL)
 				this->tmp[1][i] = tmp[1];
 			if (tmp[0] == NULL || tmp[1] == NULL) {
 				free_tmp(this);

spa/plugins/audioconvert/fmt-ops.c

@@ -8,6 +8,7 @@
 
 #include <spa/support/cpu.h>
 #include <spa/utils/defs.h>
+#include <spa/utils/overflow.h>
 #include <spa/param/audio/format-utils.h>
 
 #include "fmt-ops.h"
@@ -551,7 +552,8 @@ int convert_init(struct convert *conv)
 	const struct dither_info *dinfo;
 	const struct noise_info *ninfo;
 	const struct clear_info *cinfo;
-	uint32_t i, conv_flags, data_size[4];
+	uint32_t i, conv_flags;
+	size_t data_size[4];
 
 	/* we generate int32 bits of random values. With this scale
 	 * factor, we bring this in the [-1.0, 1.0] range */
@@ -615,10 +617,18 @@ int convert_init(struct convert *conv)
 	data_size[0] = SPA_ROUND_UP(conv->noise_size * sizeof(float), FMT_OPS_MAX_ALIGN);
 	data_size[1] = SPA_ROUND_UP(RANDOM_SIZE * sizeof(uint32_t), FMT_OPS_MAX_ALIGN);
 	data_size[2] = SPA_ROUND_UP(RANDOM_SIZE * sizeof(int32_t), FMT_OPS_MAX_ALIGN);
-	data_size[3] = SPA_ROUND_UP(conv->n_channels * sizeof(struct shaper), FMT_OPS_MAX_ALIGN);
+	if (spa_overflow_mul((size_t)conv->n_channels, sizeof(struct shaper), &data_size[3]))
+		return -ENOMEM;
+	data_size[3] = SPA_ROUND_UP(data_size[3], FMT_OPS_MAX_ALIGN);
 
-	conv->data = calloc(FMT_OPS_MAX_ALIGN +
-			data_size[0] + data_size[1] + data_size[2] + data_size[3], 1);
+	size_t total_size = FMT_OPS_MAX_ALIGN;
+	if (spa_overflow_add(total_size, data_size[0], &total_size) ||
+	    spa_overflow_add(total_size, data_size[1], &total_size) ||
+	    spa_overflow_add(total_size, data_size[2], &total_size) ||
+	    spa_overflow_add(total_size, data_size[3], &total_size))
+		return -ENOMEM;
+
+	conv->data = calloc(total_size, 1);
 	if (conv->data == NULL)
 		return -errno;