mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2026-02-06 01:44:53 +00:00
274064a5c7
Extensions in AAC USAC can be stored across multiple frames (mainly to keep CBR compliance).
This means that we need to reallocate a buffer when new data is received, accumulate the bitstream data,
and so on until the end of extension flag is signalled and the extension can be decoded.
This is made more complicated by the way in which the AAC channel layout switching is performed.
After decades of evolution, our AAC decoder evolved to double-buffer its entire configuration.
All changes are buffered, verified, and applied, on a per-frame basis if required, in often
random order.
Since we allocate the extension data on heap, this means that if configuration is applied,
in order to avoid double-freeing, we have to keep track of what we've allocated.
It should be noted that extensions which are spread in multiple frames are generally rare,
so an optimization to introduce av_refstruct_realloc() wouldn't generally be useful across the codebase.
Therefore, a copy is good enough for now.
Thanks to Michael Niedermayer for additional fixing.
Fixes: double free
Fixes: 393523547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6740617236905984
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| aacdec.c | ||
| aacdec.h | ||
| aacdec_ac.c | ||
| aacdec_ac.h | ||
| aacdec_dsp_template.c | ||
| aacdec_fixed.c | ||
| aacdec_fixed_coupling.h | ||
| aacdec_fixed_dequant.h | ||
| aacdec_fixed_prediction.h | ||
| aacdec_float.c | ||
| aacdec_float_coupling.h | ||
| aacdec_float_prediction.h | ||
| aacdec_latm.h | ||
| aacdec_lpd.c | ||
| aacdec_lpd.h | ||
| aacdec_proc_template.c | ||
| aacdec_tab.c | ||
| aacdec_tab.h | ||
| aacdec_usac.c | ||
| aacdec_usac.h | ||
| Makefile | ||