[FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size

From: Andreas Rheinhardt <ffmpegagent-at-gmail.com@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Subject: [FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size
Date: Fri, 04 Jul 2025 10:35:18 +0000
Message-ID: <1211c4131e1fe68ebf58b026ef9e33bc10710c5a.1751625321.git.ffmpegagent@gmail.com> (raw)
In-Reply-To: <pull.105.ffstaging.FFmpeg.1751625321.ffmpegagent@gmail.com>

From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

When flushing, the code would use subpacket sizes from the last
proper packet sent and use this to offset the NULL buf variable
which is UB (this happens in the opus-testvector02 FATE-test).

This also has the potential to make buf != NULL, so that one
would enter the codepath for non-flush packets and try to parse
a subpacket, erroring out because the size would be negative
(I don't have a sample for this as the testvector02 sample
only uses one stream).

Fix this by not using wrong sizes.

Fixes: libavcodec/opus/dec.c:588:18: runtime error: applying non-zero offset 10 to null pointer

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/opus/dec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/opus/dec.c b/libavcodec/opus/dec.c
index 6c59dc1f46..a43146c82c 100644
--- a/libavcodec/opus/dec.c
+++ b/libavcodec/opus/dec.c
@@ -484,6 +484,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
     int coded_samples   = 0;
     int decoded_samples = INT_MAX;
     int delayed_samples = 0;
+    int subpacket_size  = 0;
     int i, ret;
 
     /* calculate the number of delayed samples */
@@ -504,6 +505,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
             return ret;
         }
         coded_samples += pkt->frame_count * pkt->frame_duration;
+        subpacket_size = pkt->packet_size;
         c->streams[0].silk_samplerate = get_silk_samplerate(pkt->config);
     }
 
@@ -575,6 +577,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
                 return AVERROR_INVALIDDATA;
             }
 
+            subpacket_size     = s->packet.packet_size;
             s->silk_samplerate = get_silk_samplerate(s->packet.config);
         }
 
@@ -585,8 +588,8 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
         s->decoded_samples = ret;
         decoded_samples       = FFMIN(decoded_samples, ret);
 
-        buf      += s->packet.packet_size;
-        buf_size -= s->packet.packet_size;
+        buf       = FF_PTR_ADD(buf, subpacket_size);
+        buf_size -= subpacket_size;
     }
 
     /* buffer the extra samples */
-- 
ffmpeg-codebot

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
