From: oliverchang via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: oliverchang <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame (PR #21635)
Date: Tue, 03 Feb 2026 05:43:00 -0000
Message-ID: <177009738157.25.2000979076685215586@4457048688e7> (raw)
PR #21635 opened by oliverchang
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21635
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21635.patch
The `sub_packet` index in `QDM2Context` was not reset to 0 when
`qdm2_decode_frame` started processing a new packet. If an error
occurred during the decoding of a previous packet, `sub_packet` would
retain a non-zero value.
In subsequent calls to `qdm2_decode_frame` with a new packet, this
non-zero `sub_packet` value caused `qdm2_decode` to skip
`qdm2_decode_super_block`. This function is responsible for initializing
packet lists with pointers to the current packet's data. Skipping it led
to the use of stale pointers from the previous (freed) packet, resulting
in a heap-use-after-free vulnerability.
This patch explicitly resets `s->sub_packet = 0` at the beginning of
`qdm2_decode_frame`, ensuring correct initialization for each new
packet.
Fixes: OSS-Fuzz issue 476179569
(https://issues.oss-fuzz.com/issues/476179569).
>From 553424b0a3ad4db22d1e68d3f46a8193ce88673e Mon Sep 17 00:00:00 2001
From: Oliver Chang <ochang@google.com>
Date: Tue, 3 Feb 2026 05:36:52 +0000
Subject: [PATCH] avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame
The `sub_packet` index in `QDM2Context` was not reset to 0 when
`qdm2_decode_frame` started processing a new packet. If an error
occurred during the decoding of a previous packet, `sub_packet` would
retain a non-zero value.
In subsequent calls to `qdm2_decode_frame` with a new packet, this
non-zero `sub_packet` value caused `qdm2_decode` to skip
`qdm2_decode_super_block`. This function is responsible for initializing
packet lists with pointers to the current packet's data. Skipping it led
to the use of stale pointers from the previous (freed) packet, resulting
in a heap-use-after-free vulnerability.
This patch explicitly resets `s->sub_packet = 0` at the beginning of
`qdm2_decode_frame`, ensuring correct initialization for each new
packet.
Fixes: OSS-Fuzz issue 476179569
(https://issues.oss-fuzz.com/issues/476179569).
---
libavcodec/qdm2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index ec2ff7f022..796321f9d8 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1929,6 +1929,8 @@ static int qdm2_decode_frame(AVCodecContext *avctx, AVFrame *frame,
if(buf_size < s->checksum_size)
return AVERROR_INVALIDDATA;
+ s->sub_packet = 0;
+
/* get output buffer */
frame->nb_samples = 16 * s->frame_size;
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2026-02-03 5:46 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=177009738157.25.2000979076685215586@4457048688e7 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git