From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 02C2E4D8F1 for ; Thu, 4 Dec 2025 01:38:10 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'1F4INrUMkX57TaZb6u/LsvVP/6ipPzZAKSQC13A8f50=', expected b'QaXLQ/yfL2fLLYgNZ2nJGGINRMQf/Dburh7DoWbnj2g=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1764812282; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=1F4INrUMkX57TaZb6u/LsvVP/6ipPzZAKSQC13A8f50=; b=FYoivhJEt8VOTly/7zmbsHnjTxi56tIUP36GBoix3x0z3FIgCgSkkf83WUtOp8aioA7dB P+XHxvKayvOw96H8Ww9mtOqb6UuZYipKUc3xk1wRhLV0Cf8zJcpnLXbBZpBT42/UyhL2M4v JK6pkV0USG6vkpOu6oLGMvBNBEwt0f3Li4ZRbzM59xaJbZfahXOoF+VZDGAGGyUT5EN/Fcp nXLDLuYQB10falTBLDHgzFZNVeyKi23Fmh+9BdTYl6UWL0iBImAQS55nbFLr/oYikc2+2ww r0TJcXgPlVITq3ouHX3ER6Y14+jn0DZRQhn2ocOud8A2NkXrD9kBHKrmp/5w== Received: from [172.19.0.3] (unknown [172.19.0.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id F02616904F0; Thu, 4 Dec 2025 03:38:02 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1764812271; b=BScMe702r/KhjAlQPdl23KBjiOqgw7pAc9YXBPlqFa8EQjOaXyOp5r7kkPtCTENYJrxjD /7Q1BN7gwKkA5F9n5gSSVZImVzClrD+x1InvgBmmnVQPKAJldpkzTS6xOmdSpqXbKe1K2AE SiktV5w5+TdyRppLTN+JXV8Uxvd4bTfWv8FChXobTmVn3EAqNS/PzPk+xqEvBc26CTw2Hc6 3B1omWbe1XGAxwE38fH8/7QHehblIO+bK1iGdhgAhJBU1OBTjM4JLANxhTF5gWqZsODoGHB mfhys0XexnJDJp0KGA/cg7rLcxSHCmf7PVIgUKKuIKRo71xupAshRe2fGwzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1764812271; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=m9x9HtaWVS557lSXMKqnFiu2e5yuqsPipBLEQ7K1m50=; b=GCkpfyIa62gNhaikqsk99EeB0Ym6RdB0m6pOGOpZOlN9aEmrjJ0z2hqeewIrLPl9OalOM LgXDBynDG29rN8xyk33WlV9vMJNCs9ZNl1nBTXRsW7xtfGX/A+7MBtpz64oZ/Ey4VOW6bLu RR970+ePER7OvGG6ooz84u8Yl9yHUN1ki7Ic74+UnJlWVt99kHJtoLJLfpLEUhcLuqjn1oD /Ti8EHZuRAj+HvcO8Am/+wVL5LgctCQMAOVkAu8J9Y7X+liXO5H6GQaZrW4u1rki15MNocm rGQp/guqv8+8IOMIRKNnni3XUJuFOxFk64kaNSWt/+OKN1Q/zTSdL/IbhAag== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1764812263; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=QaXLQ/yfL2fLLYgNZ2nJGGINRMQf/Dburh7DoWbnj2g=; b=hisNDO0veuhx5IqndopgSroYKVU0sBMwofG+HcQMgkcMPDP2JchiGrqd3MnujbUmdhvRz wcYe5e529V3x+d6Ui0jCcmpEX5i8OSHDFJhNghnJk0dyZybF0Xz/7RWL9vk8QPIJcYWQEfS jewfGCxrIi6aUpr/ErwBoflCdodpzvme6NSjaufaC8tFp3FqQwMYBYTwCdp0HnboEOpPkj0 w8k+ic+RxhOAXRQop3OCBCr0bxJ8gtynmo/OvTOkyiFwuOcLjpBd812uC/WHXIp8SKvk7Z6 Lts7P4+rB8nk/m2wKKp6C0B8+W0JOwRt/SqTupmrjOCqIezZ0DTfYZxjqe7w== Received: from 55ca25703178 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id F1D3C690484 for ; Thu, 4 Dec 2025 03:37:42 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Thu, 04 Dec 2025 01:37:42 -0000 Message-ID: <176481226314.39.8346236030379894789@2cb04c0e5124> Message-ID-Hash: 5W2HOU57WVVAMQTS2I5DTUM4XTNGHBCW X-Message-ID-Hash: 5W2HOU57WVVAMQTS2I5DTUM4XTNGHBCW X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avcodec/aacdec: Fix heap-use-after-free in USAC decoding (PR #21095) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: oliverchang via ffmpeg-devel Cc: oliverchang Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21095 opened by oliverchang URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21095 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21095.patch A heap-use-after-free vulnerability was identified in `libavcodec/aac/aacdec.c`. When `che_configure` frees a `ChannelElement` (`ac->che[type][id]`), it failed to clear all references to it in `ac->tag_che_map`. `ac->tag_che_map` caches pointers to `ChannelElement`s and can contain cross-type mappings (e.g., a `TYPE_SCE` tag mapping to a `TYPE_LFE` element). In a USAC stream reconfiguration scenario, an LFE element was freed, but a stale pointer remained in `ac->tag_che_map`. Subsequent calls to `ff_aac_get_che` returned this dangling pointer, leading to a crash in `decode_usac_core_coder`. This commit fixes the issue by iterating over the entire `ac->tag_che_map` in `che_configure` and clearing any entries that point to the `ChannelElement` about to be freed, ensuring no dangling pointers remain. Fixes: https://issues.oss-fuzz.com/issues/440220467 >>From 88effdc94f0969832b80fb922474dc8e7d4171a8 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Wed, 3 Dec 2025 04:53:09 +0000 Subject: [PATCH] avcodec/aacdec: Fix heap-use-after-free in USAC decoding A heap-use-after-free vulnerability was identified in `libavcodec/aac/aacdec.c`. When `che_configure` frees a `ChannelElement` (`ac->che[type][id]`), it failed to clear all references to it in `ac->tag_che_map`. `ac->tag_che_map` caches pointers to `ChannelElement`s and can contain cross-type mappings (e.g., a `TYPE_SCE` tag mapping to a `TYPE_LFE` element). In a USAC stream reconfiguration scenario, an LFE element was freed, but a stale pointer remained in `ac->tag_che_map`. Subsequent calls to `ff_aac_get_che` returned this dangling pointer, leading to a crash in `decode_usac_core_coder`. This commit fixes the issue by iterating over the entire `ac->tag_che_map` in `che_configure` and clearing any entries that point to the `ChannelElement` about to be freed, ensuring no dangling pointers remain. Fixes: https://issues.oss-fuzz.com/issues/440220467 --- libavcodec/aac/aacdec.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c index 9b42014ee8..85911e15e0 100644 --- a/libavcodec/aac/aacdec.c +++ b/libavcodec/aac/aacdec.c @@ -164,6 +164,13 @@ static av_cold int che_configure(AACDecContext *ac, } } else { if (ac->che[type][id]) { + int i, j; + for (i = 0; i < FF_ARRAY_ELEMS(ac->tag_che_map); i++) { + for (j = 0; j < MAX_ELEM_ID; j++) { + if (ac->tag_che_map[i][j] == ac->che[type][id]) + ac->tag_che_map[i][j] = NULL; + } + } ac->proc.sbr_ctx_close(ac->che[type][id]); } av_freep(&ac->che[type][id]); -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org