From 74f866d9eee4092fcb46aea10efdf90e7f1cec9a Mon Sep 17 00:00:00 2001
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Date: Tue, 3 Jun 2025 16:52:49 +0200
Subject: [PATCH 2/7] avutil/frame: Use av_memdup() for duplicating extended
 data array

Just do it like av_frame_replace().
Also "fixes" the swapped order or arguments to av_malloc_array()
(the first is supposed to be the number of elements, the second
the size of an element) and therefore part of ticket #11620.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavutil/frame.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/libavutil/frame.c b/libavutil/frame.c
index 569059c45c..13141f143e 100644
--- a/libavutil/frame.c
+++ b/libavutil/frame.c
@@ -348,17 +348,16 @@ int av_frame_ref(AVFrame *dst, const AVFrame *src)
     if (src->extended_data != src->data) {
         int ch = dst->ch_layout.nb_channels;
 
-        if (!ch) {
+        if (ch <= 0 || ch > SIZE_MAX / sizeof(*dst->extended_data)) {
             ret = AVERROR(EINVAL);
             goto fail;
         }
 
-        dst->extended_data = av_malloc_array(sizeof(*dst->extended_data), ch);
+        dst->extended_data = av_memdup(src->extended_data, sizeof(*dst->extended_data) * ch);
         if (!dst->extended_data) {
             ret = AVERROR(ENOMEM);
             goto fail;
         }
-        memcpy(dst->extended_data, src->extended_data, sizeof(*src->extended_data) * ch);
     } else
         dst->extended_data = dst->data;
 
-- 
2.45.2