This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new a795ca89fa avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame
a795ca89fa is described below
commit a795ca89fa2f49f80cbe7a9fa323f278abf62e7f
Author: Oliver Chang <[email protected]>
AuthorDate: Tue Feb 3 05:36:52 2026 +0000
Commit: James Almer <[email protected]>
CommitDate: Tue Feb 3 18:17:32 2026 +0000
avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame
The `sub_packet` index in `QDM2Context` was not reset to 0 when
`qdm2_decode_frame` started processing a new packet. If an error
occurred during the decoding of a previous packet, `sub_packet` would
retain a non-zero value.
In subsequent calls to `qdm2_decode_frame` with a new packet, this
non-zero `sub_packet` value caused `qdm2_decode` to skip
`qdm2_decode_super_block`. This function is responsible for initializing
packet lists with pointers to the current packet's data. Skipping it led
to the use of stale pointers from the previous (freed) packet, resulting
in a heap-use-after-free vulnerability.
This patch explicitly resets `s->sub_packet = 0` at the beginning of
`qdm2_decode_frame`, ensuring correct initialization for each new
packet.
Fixes: OSS-Fuzz issue 476179569
(https://issues.oss-fuzz.com/issues/476179569).
---
libavcodec/qdm2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index ec2ff7f022..796321f9d8 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1929,6 +1929,8 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
AVFrame *frame,
if(buf_size < s->checksum_size)
return AVERROR_INVALIDDATA;
+ s->sub_packet = 0;
+
/* get output buffer */
frame->nb_samples = 16 * s->frame_size;
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
