This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit 0b0a2d236d6465043ec80f76619ebe66edacb485 Author: Michael Niedermayer <[email protected]> AuthorDate: Tue Mar 31 15:51:52 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:24:50 2026 +0200 avcodec/aac/aacdec_usac: Implement missing bits of otts_bands_phase and residual_bands computation Fixes: out of array access Fixes: matejsmycka/poc.mp4 Introducing commit: `baad75cafa6bac298b72c177f657a2eb8e31cff1` — "aacdec_usac: add support for parsing Mpsp212 (MPEG surround)", 2025-11-17. Found-by: Matěj Smyčka <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit ddcb9dd3b5d21d055774abd61ae609ecb728cb1c) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec_usac.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index 74a3badaf4..2f4db63ba0 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -215,6 +215,8 @@ static int decode_usac_element_pair(AACDecContext *ac, if (e->stereo_config_index) { e->mps.freq_res = get_bits(gb, 3); /* bsFreqRes */ + int numBands = ((int[]){0,28,20,14,10,7,5,4})[e->mps.freq_res]; // ISO/IEC 23003-1:2007, 5.2, Table 39 + e->mps.fixed_gain = get_bits(gb, 3); /* bsFixedGainDMX */ e->mps.temp_shape_config = get_bits(gb, 2); /* bsTempShapeConfig */ e->mps.decorr_config = get_bits(gb, 2); /* bsDecorrConfig */ @@ -222,12 +224,21 @@ static int decode_usac_element_pair(AACDecContext *ac, e->mps.phase_coding = get_bits1(gb); /* bsPhaseCoding */ e->mps.otts_bands_phase_present = get_bits1(gb); - if (e->mps.otts_bands_phase_present) /* bsOttBandsPhasePresent */ - e->mps.otts_bands_phase = get_bits(gb, 5); /* bsOttBandsPhase */ + int otts_bands_phase = ((int[]){0,10,10,7,5,3,2,2})[e->mps.freq_res]; // Table 109 — Default value of bsOttBandsPhase + if (e->mps.otts_bands_phase_present) { /* bsOttBandsPhasePresent */ + otts_bands_phase = get_bits(gb, 5); /* bsOttBandsPhase */ + if (otts_bands_phase > numBands) + return AVERROR_INVALIDDATA; + } + e->mps.otts_bands_phase = otts_bands_phase; e->mps.residual_coding = e->stereo_config_index >= 2; /* bsResidualCoding */ if (e->mps.residual_coding) { - e->mps.residual_bands = get_bits(gb, 5); /* bsResidualBands */ + int residual_bands = get_bits(gb, 5); /* bsResidualBands */ + if (residual_bands > numBands) + return AVERROR_INVALIDDATA; + e->mps.residual_bands = residual_bands; + e->mps.otts_bands_phase = FFMAX(e->mps.otts_bands_phase, e->mps.residual_bands); e->mps.pseudo_lr = get_bits1(gb); /* bsPseudoLr */ _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
