Oliver Chang d6458f6a8b avcodec/aacdec: Fix heap-use-after-free in USAC decoding ... A heap-use-after-free vulnerability was identified in `libavcodec/aac/aacdec.c`. When `che_configure` frees a `ChannelElement` (`ac->che[type][id]`), it failed to clear all references to it in `ac->tag_che_map`. `ac->tag_che_map` caches pointers to `ChannelElement`s and can contain cross-type mappings (e.g., a `TYPE_SCE` tag mapping to a `TYPE_LFE` element). In a USAC stream reconfiguration scenario, an LFE element was freed, but a stale pointer remained in `ac->tag_che_map`. Subsequent calls to `ff_aac_get_che` returned this dangling pointer, leading to a crash in `decode_usac_core_coder`. This commit fixes the issue by iterating over the entire `ac->tag_che_map` in `che_configure` and clearing any entries that point to the `ChannelElement` about to be freed, ensuring no dangling pointers remain. Fixes: https://issues.oss-fuzz.com/issues/440220467		2025-12-04 09:34:32 +00:00
..
aacdec.c	avcodec/aacdec: Fix heap-use-after-free in USAC decoding	2025-12-04 09:34:32 +00:00
aacdec.h	aacdec_usac: use RefStruct to track unfinished extension buffers	2025-08-19 14:32:21 +00:00
aacdec_ac.c	aacdec_ac: fix signed overflow in ff_aac_ac_update_context()	2025-05-24 02:19:18 +09:00
aacdec_ac.h
aacdec_dsp_template.c	avcodec/lpc_functions: compute_lpc_coefs: add starting lpc order and err cache parameters	2025-06-23 17:11:09 +10:00
aacdec_fixed.c
aacdec_fixed_coupling.h
aacdec_fixed_dequant.h
aacdec_fixed_prediction.h
aacdec_float.c
aacdec_float_coupling.h
aacdec_float_prediction.h
aacdec_latm.h
aacdec_lpd.c
aacdec_lpd.h
aacdec_proc_template.c
aacdec_tab.c
aacdec_tab.h
aacdec_usac.c	aacdec_usac: use RefStruct to track unfinished extension buffers	2025-08-19 14:32:21 +00:00
aacdec_usac.h
Makefile