File mumble-1.5.857-CVE-2025-71264.patch of Package mumble

From aae3e47b23518c97f5dbe1dbca51ad7d750bbefb Mon Sep 17 00:00:00 2001
From: Robert Adam <dev@robert-adam.de>
Date: Sun, 28 Dec 2025 16:48:24 +0100
Subject: [PATCH] FIX(client, audio): Opus expects frame size per channel

However, the code used to provide it with the total frame size. This
made Opus believe that the associated buffers (arrays) are twice as
large as they really are in case stereo audio is decoded. This can lead
to out-of-bounds array accesses.
---
 src/mumble/AudioOutputSpeech.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/mumble/AudioOutputSpeech.cpp b/src/mumble/AudioOutputSpeech.cpp
index 7a168e1f4f2..542f6dd6f53 100644
--- a/src/mumble/AudioOutputSpeech.cpp
+++ b/src/mumble/AudioOutputSpeech.cpp
@@ -346,7 +346,7 @@ bool AudioOutputSpeech::prepareSampleBuffer(unsigned int frameCount) {
 					// packet normally in order to be able to play it.
 					decodedSamples = opus_decode_float(
 						opusState, qba.isEmpty() ? nullptr : reinterpret_cast< const unsigned char * >(qba.constData()),
-						qba.size(), pOut, static_cast< int >(iAudioBufferSize), 0);
+						qba.size(), pOut, static_cast< int >(iAudioBufferSize / channels), 0);
 				} else {
 					// If the packet is non-empty, but the associated user is locally muted,
 					// we don't have to decode the packet. Instead it is enough to know how many
@@ -398,7 +398,8 @@ bool AudioOutputSpeech::prepareSampleBuffer(unsigned int frameCount) {
 				}
 			} else {
 				assert(m_codec == Mumble::Protocol::AudioCodec::Opus);
-				decodedSamples = opus_decode_float(opusState, nullptr, 0, pOut, static_cast< int >(iFrameSize), 0);
+				decodedSamples =
+					opus_decode_float(opusState, nullptr, 0, pOut, static_cast< int >(iFrameSizePerChannel), 0);
 				decodedSamples *= static_cast< int >(channels);
 
 				if (decodedSamples < 0) {