From 0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Sat, 17 Feb 2024 09:45:57 -0300
Subject: [PATCH] avcodec/speexdec: further check for sane frame_size values

Prevent potential integer overflows.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavcodec/speexdec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c
index 4d8052d585..ba0df687de 100644
--- a/libavcodec/speexdec.c
+++ b/libavcodec/speexdec.c
@@ -1421,9 +1421,10 @@ static int parse_speex_extradata(AVCodecContext *avctx,
         return AVERROR_INVALIDDATA;
     s->bitrate = bytestream_get_le32(&buf);
     s->frame_size = bytestream_get_le32(&buf);
-    if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0))
+    if (s->frame_size < NB_FRAME_SIZE << (s->mode > 0) ||
+        s->frame_size >     INT32_MAX >> (s->mode > 0))
         return AVERROR_INVALIDDATA;
-    s->frame_size *= 1 + (s->mode > 0);
+    s->frame_size <<= (s->mode > 0);
     s->vbr = bytestream_get_le32(&buf);
     s->frames_per_packet = bytestream_get_le32(&buf);
     if (s->frames_per_packet <= 0 ||