From 94466f8cd58e9a457cf7249d5907d99c80ba5d57 Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Tue, 3 Jun 2025 16:44:08 +0200
Subject: [PATCH 1/7] avutil/frame: Always return error upon error

(I don't know whether this can be triggered for a file with
nonnegative channel count, given that src's extended data can't
have been allocated in this case.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavutil/frame.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/libavutil/frame.c b/libavutil/frame.c
index dcfc835626..569059c45c 100644
--- a/libavutil/frame.c
+++ b/libavutil/frame.c
@@ -456,14 +456,11 @@ int av_frame_replace(AVFrame *dst, const AVFrame *src)
     if (src->extended_data != src->data) {
         int ch = dst->ch_layout.nb_channels;
 
-        if (!ch) {
+        if (ch <= 0 || ch > SIZE_MAX / sizeof(*dst->extended_data)) {
             ret = AVERROR(EINVAL);
             goto fail;
         }
 
-        if (ch > SIZE_MAX / sizeof(*dst->extended_data))
-            goto fail;
-
         dst->extended_data = av_memdup(src->extended_data, sizeof(*dst->extended_data) * ch);
         if (!dst->extended_data) {
             ret = AVERROR(ENOMEM);
-- 
2.45.2