This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 60a34e5a19b2132055a170962bf36660df56c3b8 Author: Oliver Chang <[email protected]> AuthorDate: Wed Dec 3 04:53:09 2025 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun May 3 19:49:51 2026 +0200 avcodec/aacdec: Fix heap-use-after-free in USAC decoding A heap-use-after-free vulnerability was identified in `libavcodec/aac/aacdec.c`. When `che_configure` frees a `ChannelElement` (`ac->che[type][id]`), it failed to clear all references to it in `ac->tag_che_map`. `ac->tag_che_map` caches pointers to `ChannelElement`s and can contain cross-type mappings (e.g., a `TYPE_SCE` tag mapping to a `TYPE_LFE` element). In a USAC stream reconfiguration scenario, an LFE element was freed, but a stale pointer remained in `ac->tag_che_map`. Subsequent calls to `ff_aac_get_che` returned this dangling pointer, leading to a crash in `decode_usac_core_coder`. This commit fixes the issue by iterating over the entire `ac->tag_che_map` in `che_configure` and clearing any entries that point to the `ChannelElement` about to be freed, ensuring no dangling pointers remain. Fixes: https://issues.oss-fuzz.com/issues/440220467 (cherry picked from commit d6458f6a8bf188a9b323962b7cb01dc855a89936) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c index 9b42014ee8..b8d53036d4 100644 --- a/libavcodec/aac/aacdec.c +++ b/libavcodec/aac/aacdec.c @@ -164,6 +164,12 @@ static av_cold int che_configure(AACDecContext *ac, } } else { if (ac->che[type][id]) { + for (int i = 0; i < FF_ARRAY_ELEMS(ac->tag_che_map); i++) { + for (int j = 0; j < MAX_ELEM_ID; j++) { + if (ac->tag_che_map[i][j] == ac->che[type][id]) + ac->tag_che_map[i][j] = NULL; + } + } ac->proc.sbr_ctx_close(ac->che[type][id]); } av_freep(&ac->che[type][id]); _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
