This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/5.1 in repository ffmpeg.
commit 115ff6126a674d54ee915cba29ea06bdc27335b4 Author: Oliver Chang <[email protected]> AuthorDate: Tue Feb 3 05:36:52 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 15:20:59 2026 +0200 avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame The `sub_packet` index in `QDM2Context` was not reset to 0 when `qdm2_decode_frame` started processing a new packet. If an error occurred during the decoding of a previous packet, `sub_packet` would retain a non-zero value. In subsequent calls to `qdm2_decode_frame` with a new packet, this non-zero `sub_packet` value caused `qdm2_decode` to skip `qdm2_decode_super_block`. This function is responsible for initializing packet lists with pointers to the current packet's data. Skipping it led to the use of stale pointers from the previous (freed) packet, resulting in a heap-use-after-free vulnerability. This patch explicitly resets `s->sub_packet = 0` at the beginning of `qdm2_decode_frame`, ensuring correct initialization for each new packet. Fixes: OSS-Fuzz issue 476179569 (https://issues.oss-fuzz.com/issues/476179569). (cherry picked from commit a795ca89fa2f49f80cbe7a9fa323f278abf62e7f) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/qdm2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 427e8e8449..71ce66d38b 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1852,6 +1852,8 @@ static int qdm2_decode_frame(AVCodecContext *avctx, AVFrame *frame, if(buf_size < s->checksum_size) return -1; + s->sub_packet = 0; + /* get output buffer */ frame->nb_samples = 16 * s->frame_size; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
