PR #23300 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23300 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23300.patch
>From f17f2bd000e7ff8922b265117a0aa46b8b268158 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sun, 31 May 2026 19:50:57 +0200 Subject: [PATCH 1/4] avcodec/aac/aacdec_usac: reject explicit usacSamplingFrequency of 0 Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec_usac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index 0f1bb50a99..e484d6504c 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -377,6 +377,8 @@ int ff_aac_usac_config_decode(AACDecContext *ac, AVCodecContext *avctx, freq_idx = get_bits(gb, 5); /* usacSamplingFrequencyIndex */ if (freq_idx == 0x1f) { samplerate = get_bits(gb, 24); /* usacSamplingFrequency */ + if (samplerate == 0) + return AVERROR(EINVAL); } else { samplerate = ff_aac_usac_samplerate[freq_idx]; if (samplerate < 0) -- 2.52.0 >From 17ad347d82e4d55fb42a5d91dfe44b6678e7e37b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Mon, 1 Jun 2026 04:39:03 +0200 Subject: [PATCH 2/4] avcodec/aac/aacdec: More detailed warning about sample rates Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c index 73e2457924..7799f73c40 100644 --- a/libavcodec/aac/aacdec.c +++ b/libavcodec/aac/aacdec.c @@ -831,8 +831,8 @@ static int decode_pce(AVCodecContext *avctx, MPEG4AudioConfig *m4ac, sampling_index = get_bits(gb, 4); if (m4ac->sampling_index != sampling_index) av_log(avctx, AV_LOG_WARNING, - "Sample rate index in program config element does not " - "match the sample rate index configured by the container.\n"); + "Sample rate index (%d) in program config element does not " + "match the sample rate index (%d) configured by the container.\n", sampling_index, m4ac->sampling_index); num_front = get_bits(gb, 4); num_side = get_bits(gb, 4); -- 2.52.0 >From a82d85507ad35ca575eddc6f031183bdb5433ae0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sun, 31 May 2026 19:50:37 +0200 Subject: [PATCH 3/4] avcodec/aac/aacdec: reject decoded frame without a valid sample rate Later code will turn this into AVERROR_BUG When returning sample_rate == 0 samples is considered a bug, we have no nice choice but to error out cleanly Fixes: assertion failure Fixes: ffmpeg_AV_CODEC_ID_AAC_DEC_fuzzer crash-0a86d46fef2442b222ee34403c21f7f582ffccb0 Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c index 7799f73c40..0d9672be75 100644 --- a/libavcodec/aac/aacdec.c +++ b/libavcodec/aac/aacdec.c @@ -2382,6 +2382,12 @@ static int decode_frame_ga(AVCodecContext *avctx, AACDecContext *ac, ac->oc[1].status = OC_LOCKED; } + if (samples && avctx->sample_rate <= 0) { + av_log(avctx, AV_LOG_ERROR, + "Cannot output a frame without a valid sample rate\n"); + return AVERROR_INVALIDDATA; + } + if (!ac->frame->data[0] && samples) { av_log(avctx, AV_LOG_ERROR, "no frame data found\n"); return AVERROR_INVALIDDATA; -- 2.52.0 >From 03a6c18656534e4c0d2744e44792bdfbd133c588 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Sun, 31 May 2026 18:58:42 +0200 Subject: [PATCH 4/4] avcodec/aac/aacdec_usac: avoid signed overflow in decode_tsd decode_tsd() computes the binomial coefficient c = C(k, p) incrementally. this commit makes it less overflow prone Fixes: 515703905/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_DEC_fuzzer-4890954254581760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec_usac.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index e484d6504c..021bc2f766 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -1390,11 +1390,10 @@ static void decode_tsd(GetBitContext *gb, int *data, break; } int64_t c = k - p + 1; - for (int h = 2; h <= p; h++) { - c *= k - p + h; - c /= h; + for (int h = 2; h <= p && c <= s; h++) { + c += c*(k-p)/h } - if (s >= (int)c) { /* c is long long for up to 32 slots */ + if (s >= c) { s -= c; data[k] = 1; p--; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
