Stowage/ffmpeg
2
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2026-02-06 09:49:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
ffmpeg/libavcodec/aac
History
Oliver Chang d6458f6a8b avcodec/aacdec: Fix heap-use-after-free in USAC decoding 
A heap-use-after-free vulnerability was identified in
`libavcodec/aac/aacdec.c`.  When `che_configure` frees a
`ChannelElement` (`ac->che[type][id]`), it failed to clear all
references to it in `ac->tag_che_map`.  `ac->tag_che_map` caches
pointers to `ChannelElement`s and can contain cross-type mappings (e.g.,
a `TYPE_SCE` tag mapping to a `TYPE_LFE` element).

In a USAC stream reconfiguration scenario, an LFE element was freed, but
a stale pointer remained in `ac->tag_che_map`. Subsequent calls to
`ff_aac_get_che` returned this dangling pointer, leading to a crash in
`decode_usac_core_coder`.

This commit fixes the issue by iterating over the entire
`ac->tag_che_map` in `che_configure` and clearing any entries that point
to the `ChannelElement` about to be freed, ensuring no dangling pointers
remain.

Fixes: https://issues.oss-fuzz.com/issues/440220467
2025-12-04 09:34:32 +00:00
..
aacdec.c avcodec/aacdec: Fix heap-use-after-free in USAC decoding 2025-12-04 09:34:32 +00:00
aacdec.h aacdec_usac: use RefStruct to track unfinished extension buffers 2025-08-19 14:32:21 +00:00
aacdec_ac.c aacdec_ac: fix signed overflow in ff_aac_ac_update_context() 2025-05-24 02:19:18 +09:00
aacdec_ac.h aacdec_ac: fix an overread 2024-06-21 10:50:21 +02:00
aacdec_dsp_template.c avcodec/lpc_functions: compute_lpc_coefs: add starting lpc order and err cache parameters 2025-06-23 17:11:09 +10:00
aacdec_fixed.c aacdec_dsp: implement 768-point transform and windowing 2024-06-02 18:34:44 +02:00
aacdec_fixed_coupling.h aacdec: move aacdec.h into libavcodec/aac 2024-04-23 08:31:40 +02:00
aacdec_fixed_dequant.h aacdec: move spectrum decode and dequantization to a new file 2024-04-23 08:31:35 +02:00
aacdec_fixed_prediction.h aacdec: move prediction to separate files 2024-04-23 08:31:37 +02:00
aacdec_float.c aacdec_dsp: implement 768-point transform and windowing 2024-06-02 18:34:44 +02:00
aacdec_float_coupling.h aacdec: move aacdec.h into libavcodec/aac 2024-04-23 08:31:40 +02:00
aacdec_float_prediction.h aacdec: move prediction to separate files 2024-04-23 08:31:37 +02:00
aacdec_latm.h avcodec/codec_internal, all: Use macros to set deprecated AVCodec fields 2025-03-10 00:57:23 +01:00
aacdec_lpd.c avcodec/aac/aacdec_lpd: Remove dead code 2025-04-03 06:04:57 +02:00
aacdec_lpd.h aacdec: add a decoder for AAC USAC (xHE-AAC) 2024-06-02 18:34:45 +02:00
aacdec_proc_template.c avcodec/aac/aacdec: Fix linking errors with only one decoder enabled 2024-05-07 12:33:50 +02:00
aacdec_tab.c
aacdec_tab.h
aacdec_usac.c aacdec_usac: use RefStruct to track unfinished extension buffers 2025-08-19 14:32:21 +00:00
aacdec_usac.h aacdec: add a decoder for AAC USAC (xHE-AAC) 2024-06-02 18:34:45 +02:00
Makefile aacdec: add a decoder for AAC USAC (xHE-AAC) 2024-06-02 18:34:45 +02:00