security: fix integer overflow in Bluetooth codec codesize calculations

Memory Safety: High

Several Bluetooth audio codec implementations calculate codesize by
multiplying samples * channels * sizeof(sample_type) without overflow
checks. The parameters come from Bluetooth codec negotiation, which is
influenced by the remote peer. If the multiplication overflows, codesize
wraps to a small value, causing subsequent buffer size checks to pass
while the actual data processing operates on the full (larger) sample
count, leading to heap buffer overflows.

Affected codecs: LC3 (BAP), LC3plus (A2DP), Opus (A2DP), Opus-G (A2DP).

Add overflow checks before each codesize multiplication to ensure the
result fits in the target integer type, returning -EINVAL on overflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

spa/plugins/bluez5/bap-codec-lc3.c

@@ -1299,7 +1299,20 @@ static void *codec_init(const struct media_codec *codec, uint32_t flags,
 		goto error;
 	}
 	this->samples = res;
-	this->codesize = (size_t)this->samples * this->channels * conf.n_blks * sizeof(int32_t);
+	{
+		size_t cs = (size_t)this->samples * this->channels;
+		if (this->channels > 0 && cs / this->channels != (size_t)this->samples) {
+			res = -EINVAL;
+			goto error;
+		}
+		cs *= conf.n_blks;
+		cs *= sizeof(int32_t);
+		if (cs > UINT_MAX) {
+			res = -EINVAL;
+			goto error;
+		}
+		this->codesize = cs;
+	}
 
 	if (!(flags & MEDIA_CODEC_FLAG_SINK)) {
 		for (ich = 0; ich < this->channels; ich++) {