From d26ce3ec60142eef7d325b5ade4e8f38c6a82015 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 3 May 2026 04:03:07 +0200
Subject: [PATCH] avformat/iamf_parse.c: Fix potential integer overflow in
 opus_decoder_config()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 016a241102250372a9c2e96f6e8dca67ec01d3f7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/iamf_parse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/iamf_parse.c b/libavformat/iamf_parse.c
index 926b17e23f..97a5c8a360 100644
--- a/libavformat/iamf_parse.c
+++ b/libavformat/iamf_parse.c
@@ -38,7 +38,7 @@ static int opus_decoder_config(IAMFCodecConfig *codec_config,
 {
     int ret, left = len - avio_tell(pb);
 
-    if (left < 11 || codec_config->audio_roll_distance >= 0)
+    if (left < 11 || codec_config->audio_roll_distance >= 0 || left > INT_MAX - 8)
         return AVERROR_INVALIDDATA;
 
     codec_config->extradata = av_malloc(left + 8);