From 23188c9b1c34f06ca7f17243425d59403e9eb0db Mon Sep 17 00:00:00 2001
From: Alex Stewart <alex.stewart@ni.com>
Date: Wed, 11 Oct 2023 17:26:51 -0400
Subject: [PATCH 09/17] aiff: fix int overflow when counting header elements

aiff_read_basc_chunk() tries to count the AIFF header size by keeping
track of the bytes returned by psf_binheader_readf(). Though improbable,
it is technically possible for these added bytes to exceed the int-sized
`count` accumulator.

Use a 64-bit sf_count_t type for `count`, to ensure that it always has
enough numeric space.

CVE: CVE-2022-33065
Fixes: https://github.com/libsndfile/libsndfile/issues/833

Signed-off-by: Alex Stewart <alex.stewart@ni.com>

Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-5.patch?h=ubuntu/jammy-security
Upstream commit https://github.com/libsndfile/libsndfile/commit/23188c9b1c34f06ca7f17243425d59403e9eb0db]
CVE: CVE-2022-33065
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 src/aiff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/aiff.c b/src/aiff.c
index ac3655e9d..6d8f1bc83 100644
--- a/src/aiff.c
+++ b/src/aiff.c
@@ -1702,7 +1702,7 @@ static int
 aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize)
 {	const char * type_str ;
 	basc_CHUNK bc ;
-	int count ;
+	sf_count_t count ;
 
 	count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ;
 	count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ;