FFmpeg

mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-12-25 22:17:24 +02:00

Files

Oliver Chang d6458f6a8b avcodec/aacdec: Fix heap-use-after-free in USAC decoding

A heap-use-after-free vulnerability was identified in
`libavcodec/aac/aacdec.c`.  When `che_configure` frees a
`ChannelElement` (`ac->che[type][id]`), it failed to clear all
references to it in `ac->tag_che_map`.  `ac->tag_che_map` caches
pointers to `ChannelElement`s and can contain cross-type mappings (e.g.,
a `TYPE_SCE` tag mapping to a `TYPE_LFE` element).

In a USAC stream reconfiguration scenario, an LFE element was freed, but
a stale pointer remained in `ac->tag_che_map`. Subsequent calls to
`ff_aac_get_che` returned this dangling pointer, leading to a crash in
`decode_usac_core_coder`.

This commit fixes the issue by iterating over the entire
`ac->tag_che_map` in `che_configure` and clearing any entries that point
to the `ChannelElement` about to be freed, ensuring no dangling pointers
remain.

Fixes: https://issues.oss-fuzz.com/issues/440220467

2025-12-04 09:34:32 +00:00

aacdec_ac.c

aacdec_ac: fix signed overflow in ff_aac_ac_update_context()

2025-05-24 02:19:18 +09:00

aacdec_ac.h

aacdec_ac: fix an overread

2024-06-21 10:50:21 +02:00

aacdec_dsp_template.c

avcodec/lpc_functions: compute_lpc_coefs: add starting lpc order and err cache parameters

2025-06-23 17:11:09 +10:00

aacdec_fixed_coupling.h

aacdec: move aacdec.h into libavcodec/aac