From fafb0918c8aa9aeb1ecc4380a254645ca5c44881 Mon Sep 17 00:00:00 2001
From: zhailiangliang <zhailiangliang@loongson.cn>
Date: Thu, 31 Oct 2024 03:27:04 +0000
Subject: [PATCH] fix integer overflow in function copyaudiodata

---
 sfcommands/sfconvert.c | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
index 80a1bc4..783c37c 100644
--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
@@ -24,6 +24,7 @@
 	sound files.
 */
 
+#include <limits.h>
 #include "config.h"
 
 #ifdef __USE_SGI_HEADERS__
@@ -321,16 +322,34 @@ void printversion (void)
 */
 bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
 {
+	const int kBufferFrameCount = 65536;
 	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+	bool success = true;
+	void *buffer = NULL;
 
-	const int kBufferFrameCount = 65536;
-	void *buffer = malloc(kBufferFrameCount * frameSize);
+	if (frameSize <= 0)
+	{
+		fprintf(stderr, "afGetVirtualFrameSize error! \n");
+		return false;
+	}
+
+	if (frameSize > INT_MAX / kBufferFrameCount)
+	{
+		fprintf(stderr, "Prevent integer overflow! \n");
+		return false;
+	}
+
+	buffer = malloc(kBufferFrameCount * frameSize);
+
+	if (buffer == NULL)
+	{
+		fprintf(stderr, "allocation of bytes failed! \n");
+		return false;
+	}
 
 	AFframecount totalFrames = afGetFrameCount(infile, AF_DEFAULT_TRACK);
 	AFframecount totalFramesWritten = 0;
 
-	bool success = true;
-
 	while (totalFramesWritten < totalFrames)
 	{
 		AFframecount framesToRead = totalFrames - totalFramesWritten;