alanxz reports:
+++ +When parsing a frame header, validate that the frame_size is less than + or equal to INT32_MAX. Given frame_max is limited between 0 and + INT32_MAX in amqp_login and friends, this does not change the API. + This prevents a potential buffer overflow when a malicious client sends + a frame_size that is close to UINT32_MAX, in which causes an overflow + when computing state->target_size resulting in a small value there. A + buffer is then allocated with the small amount, then memcopy copies the + frame_size writing to memory beyond the end of the buffer.
+