From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 20A3A40EDA for ; Thu, 15 Jan 2026 00:22:40 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'A8lEuUqCXqFdidtPOBmm7cJe4fdGIt6ohb9+9j0wE3A=', expected b'355t7u1O79mFY+8wvbiybnX+bHTun+4yLy56ow9z69M=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768436543; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=A8lEuUqCXqFdidtPOBmm7cJe4fdGIt6ohb9+9j0wE3A=; b=rtydAw1xi9KmpuhrEWH2jDMIHmqX3OqrlxJmVCxT14PYkonm5vZwg76lf0igdWDB5DGPZ HMV8PHFWsCo9asE1Zt7s6WhjbNZSd3Hs9nhl/qazY1rP/WI5/Lfd0Nj8C0VjBN78FudAuK9 c7jq/rhKWoRqbHVcORsQjfqPw8LolSdQqgeqnD/fk8F0eOuc0/7rgnKKv/MgjyOBQPovyo/ L3x4Gz8Cm17VZYJ6gtaiUBFbc+qm/GLUM+hDp0vbdQuwwyAJwom0Z7tvUF9vfAQDR6whXAo hrzhcAOnfmTrm7tEU50Z1utDVZIGmZu9lMtk5t9ivpqF9V5UTRHuNsJ2NLtg== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 1F919690E19; Thu, 15 Jan 2026 02:22:23 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1768436522; b=rUmMGZRWGf49/C4agQnj8uhZb/VF0FqefrABDMOGMReyVGUZoyQtt+bdV/F+qPClKmpKn wZwqEGX1UrWI+jqW1kA+jIQekHqu1/jcd2C5YMV7Eg5xUsTSD9lfIkTXBlcax7riBSmDHDC vGy/mgY6YJFFVzqMa0WNws28AsekNRMEjCw6+8oeuwPDn/wOu6PMHehSZq7Pb+nfk4+oMpS qJo0Okg2KBKpjB/kpVdUCS2stSqOEw14ZoAbDZy93R/FfPDJraPjpSMK/CQsfLSWnzBJ8L0 szYZCKRgfInExjQy6XUn87nngO5yMBMKF4aUC+prWi5GFtt2nYPEVq+lwa8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1768436522; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=l4itI2P/xXERb9hj+Py+s4RpKwhlRNgaHpg6/wTxggc=; b=rESUAM5QTiSHR5Yao27KlIHaJLaxESFFkPivkIV73LNfFk//ooZPdFw+p9x3sp9J/0CZ+ tzmuAUwdn7JRq1vrC+vqCcNO2lKd0GI1jkQjsekR5NrahQamd/RpDKJviwLT0r4USEoxu9d xABcm3vLF+yeCHkbj7aIAlbWpaKqE8L6aW5S7PtiatP8rCynv4c+fhjE4JQYmzP/WOAtvCZ xoupbP5mAb/fiOEobD8xrtuOriTVNjyNI9fRgRPOcjtOvdhfE1bUFVf6U9gZekK75Zl28uC bmikPV8c9qRLwq3h57qhGs9n3D54/NcKQFsIq1z4PpHksmDfq9noNRean66g== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1768436512; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=355t7u1O79mFY+8wvbiybnX+bHTun+4yLy56ow9z69M=; b=1VsiU/lIRLVTVq5ylQvSnmpAeyCsr6O7lmMYrRnEc7vpHh6oQ1gb9bzWmyCAVuIh9cRQH CmNDrxwmWvPVMbdEiVzNwtCOllqm0C419RpnbvfhggUqn/TbtFlPuQRiQEIlhY2DJv2F751 vOwU1wxO3z4QmWW2ain0IHWehL09LtFpIGLfSqyADpRQejjcv4OABz59zhzlaiBYtqYFci0 t6U/KO2orBSexD7tsh4JYJ4iVvRSdgQHaV08sdoJiYhYKq6heUKbW2hdDwiyZWcroZD3czp JX2s1P7x/gcM1M//C5VpwonPyxuRqG/CbvN3NiCPNJ+PyBIG80XFGu2v0gAA== Received: from f7c34508609e (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 6BFBA690D91 for ; Thu, 15 Jan 2026 02:21:52 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Thu, 15 Jan 2026 00:21:52 -0000 Message-ID: <176843651261.25.2084360299744095431@4457048688e7> Message-ID-Hash: FT46TTABMZY3C32E4YMYOKWBAQY4YHZY X-Message-ID-Hash: FT46TTABMZY3C32E4YMYOKWBAQY4YHZY X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] lavc/aacdec_usac: fix CPE channel index in ff_aac_usac_reset_state() (PR #21469) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: ruikai via ffmpeg-devel Cc: ruikai Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21469 opened by ruikai URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21469 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21469.patch fix a simple index bug in ff_aac_usac_reset_state() that writes past the end of ChannelElement.ch[2] for CPE ff_aac_usac_reset_state() loops over channels with j < ch, but incorrectly takes &che->ch[ch]. For CPE (ch == 2) this becomes che->ch[2], which is one past the end of ChannelElement.ch[2], and the subsequent memset() causes an intra-object out-of-bounds write. index the channel element with the loop variable (j). >>From c8b8c41a6b2a3de017aaacb4cdc076cbd2cb8754 Mon Sep 17 00:00:00 2001 From: Ruikai Peng Date: Wed, 14 Jan 2026 19:16:43 -0500 Subject: [PATCH] lavc/aacdec_usac: fix CPE channel index in ff_aac_usac_reset_state() fix a simple index bug in ff_aac_usac_reset_state() that writes past the end of ChannelElement.ch[2] for CPE ff_aac_usac_reset_state() loops over channels with j < ch, but incorrectly takes &che->ch[ch]. For CPE (ch == 2) this becomes che->ch[2], which is one past the end of ChannelElement.ch[2], and the subsequent memset() causes an intra-object out-of-bounds write. index the channel element with the loop variable (j). --- libavcodec/aac/aacdec_usac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index c4b821bbba..237a247d5b 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -315,7 +315,7 @@ int ff_aac_usac_reset_state(AACDecContext *ac, OutputConfiguration *oc) ff_aac_sbr_config_usac(ac, che, e); for (int j = 0; j < ch; j++) { - SingleChannelElement *sce = &che->ch[ch]; + SingleChannelElement *sce = &che->ch[j]; AACUsacElemData *ue = &sce->ue; memset(ue, 0, sizeof(*ue)); -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org