[FFmpeg-cvslog] [ffmpeg] 71/71: avcodec/aac/aacdec_usac_mps212: fix attach_lsb() OOB after huff_decode

Sun, 03 May 2026 10:45:35 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/8.1
in repository ffmpeg.

commit 140d581786800b4e91439e133e4290c96c82a211
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Sat May 2 20:00:22 2026 +0200
Commit:     Michael Niedermayer <[email protected]>
CommitDate: Sun May 3 19:25:01 2026 +0200

    avcodec/aac/aacdec_usac_mps212: fix attach_lsb() OOB after huff_decode
    
    Fixes: VS-FF-2026-0001/poc.wav
    
    Reported-by: Vuln Seeker Cyber Security Team
    (cherry picked from commit 2e32276872d330b9a9e97de68d62dd7a679b1221)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/aac/aacdec_usac_mps212.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/libavcodec/aac/aacdec_usac_mps212.c 
b/libavcodec/aac/aacdec_usac_mps212.c
index 3e4119d3fc..3c1b1cf30e 100644
--- a/libavcodec/aac/aacdec_usac_mps212.c
+++ b/libavcodec/aac/aacdec_usac_mps212.c
@@ -464,10 +464,10 @@ static int ec_pair_dec(GetBitContext *gb,
     }
 
     if (pair) {
-        p_data[0] = data_pair[0];
-        p_data[1] = data_pair[1];
+        p_data[0] = data_diff[0];
+        p_data[1] = data_diff[1];
     } else {
-        p_data[0] = data_pair[0];
+        p_data[0] = data_diff[0];
         p_data[1] = NULL;
     }
 
@@ -480,7 +480,7 @@ static int ec_pair_dec(GetBitContext *gb,
     if (pair && (diff_freq[0] || diff_time_back))
         diff_freq[1] = !get_bits1(gb);
 
-    int time_pair;
+    int time_pair = 0;
     huff_decode(gb, p_data, data_type, diff_freq,
                 nb_bands, &time_pair);
 
@@ -534,11 +534,11 @@ static int ec_pair_dec(GetBitContext *gb,
     }
 
     /* Decode LSBs */
-    attach_lsb(gb, p_data[0], quant_offset, attach_lsb_flag,
-               nb_bands, p_data[0]);
+    attach_lsb(gb, data_pair[0], quant_offset, attach_lsb_flag,
+               nb_bands, data_pair[0]);
     if (pair)
-        attach_lsb(gb, p_data[1], quant_offset, attach_lsb_flag,
-                   nb_bands, p_data[1]);
+        attach_lsb(gb, data_pair[1], quant_offset, attach_lsb_flag,
+                   nb_bands, data_pair[1]);
 
     memcpy(&set1[start_band], data_pair[0], 2*nb_bands);
     if (pair)

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to