[FFmpeg-cvslog] [ffmpeg] avcodec/aac/aacdec_usac_mps212: fix attach_lsb() OOB after huff_decode (branch master)

Sun, 03 May 2026 08:12:07 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new 2e32276872 avcodec/aac/aacdec_usac_mps212: fix attach_lsb() OOB after 
huff_decode
2e32276872 is described below

commit 2e32276872d330b9a9e97de68d62dd7a679b1221
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Sat May 2 20:00:22 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Sun May 3 15:11:28 2026 +0000

    avcodec/aac/aacdec_usac_mps212: fix attach_lsb() OOB after huff_decode
    
    Fixes: VS-FF-2026-0001/poc.wav
    
    Reported-by: Vuln Seeker Cyber Security Team
---
 libavcodec/aac/aacdec_usac_mps212.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/libavcodec/aac/aacdec_usac_mps212.c 
b/libavcodec/aac/aacdec_usac_mps212.c
index eb780cf0f3..eec7943bb8 100644
--- a/libavcodec/aac/aacdec_usac_mps212.c
+++ b/libavcodec/aac/aacdec_usac_mps212.c
@@ -464,10 +464,10 @@ static int ec_pair_dec(GetBitContext *gb,
     }
 
     if (pair) {
-        p_data[0] = data_pair[0];
-        p_data[1] = data_pair[1];
+        p_data[0] = data_diff[0];
+        p_data[1] = data_diff[1];
     } else {
-        p_data[0] = data_pair[0];
+        p_data[0] = data_diff[0];
         p_data[1] = NULL;
     }
 
@@ -480,7 +480,7 @@ static int ec_pair_dec(GetBitContext *gb,
     if (pair && (diff_freq[0] || diff_time_back))
         diff_freq[1] = !get_bits1(gb);
 
-    int time_pair;
+    int time_pair = 0;
     huff_decode(gb, p_data, data_type, diff_freq,
                 nb_bands, &time_pair);
 
@@ -534,11 +534,11 @@ static int ec_pair_dec(GetBitContext *gb,
     }
 
     /* Decode LSBs */
-    attach_lsb(gb, p_data[0], quant_offset, attach_lsb_flag,
-               nb_bands, p_data[0]);
+    attach_lsb(gb, data_pair[0], quant_offset, attach_lsb_flag,
+               nb_bands, data_pair[0]);
     if (pair)
-        attach_lsb(gb, p_data[1], quant_offset, attach_lsb_flag,
-                   nb_bands, p_data[1]);
+        attach_lsb(gb, data_pair[1], quant_offset, attach_lsb_flag,
+                   nb_bands, data_pair[1]);
 
     memcpy(&set1[start_band], data_pair[0], 2*nb_bands);
     if (pair)

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to