mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2026-06-05 15:00:35 +00:00
715773df12
`spectrum_decode` currently executes Frequency Domain (FD) decoding steps
for all channels, regardless of their `core_mode`. When a channel is in
Linear Prediction Domain (LPD) mode (`core_mode == 1`), FD-specific
parameters such as scalefactor offsets (`sfo`) and individual channel
stream (`ics`) information are not parsed.
This causes a global-buffer-overflow in `dequant_scalefactors`. Because
`spectrum_scale` is called on LPD channels, it uses stale or
uninitialized `sfo` values to index `ff_aac_pow2sf_tab`. In the reported
crash, a stale `sfo` value of 240 resulted in an index of 440
(240 + POW_SF2_ZERO), exceeding the table's size of 428.
Fix this by ensuring `spectrum_scale` and `imdct_and_windowing` are only
called for channels where `core_mode == 0` (FD).
Co-authored-by: CodeMender <codemender-patching@google.com>
Fixes: https://issues.oss-fuzz.com/486160985
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| aacdec.c | ||
| aacdec.h | ||
| aacdec_ac.c | ||
| aacdec_ac.h | ||
| aacdec_dsp_template.c | ||
| aacdec_fixed.c | ||
| aacdec_fixed_coupling.h | ||
| aacdec_fixed_dequant.h | ||
| aacdec_fixed_prediction.h | ||
| aacdec_float.c | ||
| aacdec_float_coupling.h | ||
| aacdec_float_prediction.h | ||
| aacdec_latm.h | ||
| aacdec_lpd.c | ||
| aacdec_lpd.h | ||
| aacdec_proc_template.c | ||
| aacdec_tab.c | ||
| aacdec_tab.h | ||
| aacdec_usac.c | ||
| aacdec_usac.h | ||
| Makefile | ||