From 839fa9131820d689b2038c81531b618b2932fbe3 Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Wed, 11 Oct 2023 16:46:29 -0400
Subject: [PATCH 07/17] avr: fix int overflow in avr_read_header()

Pre-cast hdr.frames to sf_count_t, to provide the calculation with
enough numeric space to avoid an int-overflow.

CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833

Signed-off-by: Alex Stewart <alex.stewart@ni.com>

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-3.patch?h=ubuntu/jammy-security
Upstream commit https://github.com/libsndfile/libsndfile/commit/839fa9131820d689b2038c81531b618b2932fbe3]
CVE: CVE-2022-33065
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 src/avr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/avr.c b/src/avr.c
index 6c78ff69b..1bc1ffc90 100644
--- a/src/avr.c
+++ b/src/avr.c
@@ -162,7 +162,7 @@ avr_read_header (SF_PRIVATE *psf)
 	psf->endian = SF_ENDIAN_BIG ;
 
  	psf->dataoffset = AVR_HDR_SIZE ;
-	psf->datalength = hdr.frames * (hdr.rez / 8) ;
+	psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ;
 
 	if (psf->fileoffset > 0)
 		psf->filelength = AVR_HDR_SIZE + psf->datalength ;