From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 0191C4E7F1 for ; Tue, 3 Feb 2026 05:46:37 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'oKdKIHsnY1FzCoLMjK62FT68cAIqWNUdfn0znmZYpzQ=', expected b'sNkq+TCo4xCt9QsKDK4Tmz+i8ZFKSXgcaR+ZB8f+7A0=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1770097461; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=oKdKIHsnY1FzCoLMjK62FT68cAIqWNUdfn0znmZYpzQ=; b=uOdIrYs5AjzeYlpp4AJET5sQJ3nunVtryZoegxFT1Mjtn1yX1KSv/wsfhfTs76QEogpJt luQBVfprk6v0XhvIwY/KkXAeYjbNKBOQJr9ZCdCFBHLSRg+c9nU+w2kgvFWRvCFdlg23fMg pgtBFpuTsRdkzazd+VnvG3KzMKPSB6BdaaN6Pw/gA2EryrBKt0gzBYJ4QdtRqRHhBcANC57 FucFCY3d6sIhYlK4HFgh/R+keY6QSZ0Rg2uA3QuvfISwLi3sDcEI6jNHiBFBNhZXcqfkdWU VcW716vV+PSlTyOLGrBX+AJrRStnKuvxGw6If+lz/z+c54HwP2GpTGpzEP6A== Received: from [172.20.0.4] (unknown [172.20.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 42394690EA2; Tue, 3 Feb 2026 07:44:21 +0200 (EET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1770097400; b=VRMe2zGR3jLuI0jyXHZqgKh1zXnJfljpySz1Eujms2UECo9EyEk0vdW5b5kfCbriDWLfR aTQ0T32idKRI46/sz7rgFsy/V3nUx/9Se/lVPT9DfIeFacZCbQWHX8KdxSzefnlMeVse5F8 fuWCGkv7dKxEsTRRh0GdFliPyx4WjXph6B99HOC7DCV/IDFnAfrYwbdV3u00qDroU+gzuzQ hgRaGG+r7myTQBtBDNHttSdqu1csjtPKrLK3hKDwht2TYrROStjcl+9c31rXg7lZnw24iR8 d5+mQO2p3rzLM8FjMl5mS8AFHZfBZt0Ns5KgL9hUGnCptJFEmZdb5NPPRzpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1770097400; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=A50xD94ZFsV7vgh3rsxyzbvfWhohO+1rteupR2vtKNk=; b=k9G55n+P0lgpYDerrAQ1CQkG1ofM8cmukwu2FVCxT32ij7Nv0kbBSHfH16/MMpIHED2nY hgY0uhXBxTjfv3JbyFZtxAfs80fanavlqSUxcsZ+51BxHgASTk471u59Py0IGoWmegkQxS0 E/+cJqN9CnpuYX3rnyWO1JGew3H719wBCf6g74Hj/HCOqA5eGafisMTV8Ua4OvdQK/JR+hG ZUAggNr9OKpKgwJyQKAeAEHizJ9B25ptVX3AI4MhhG0b3KKZVGAv4FnJc7n/jzo62n9o0SG LLCShLp8Mm4rA31IaUvolqBvqqeJnfHGxKRWdCd20xa2VoeNNSAIEvt1dSiQ== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1770097381; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=sNkq+TCo4xCt9QsKDK4Tmz+i8ZFKSXgcaR+ZB8f+7A0=; b=N40xl6djANTze3MUUCe1ECyCeLMt/Wn1xxggYPGB6tJYDk1THASLS8/v7SiGCdHmC3EHk j3RQaQcyxyZLf759lK9uVTJed582TMWxqDJH7hTYHdwrbhbAafRqdZhB4YrlieM++McLYnY HOunNV7gHzdyN1ipNJ0V1KqAZDZff6wRfrFAVIRGaqVEb3WYmL20zk9Es01eOq6CsS3CFpZ MMTdnAamGzMH8lnKwupJHBaHH1oCyZu2H49rcpMXUw8OW3OI88/UvZLbDnomSCMSkqehXCz gAWwXsif4NiBUn1fGUHbxtbRhnpiq9Uhk1/Ot0FBtvBfNgDmhKmyosrErKGg== Received: from c8d966988b92 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 53C55690D8B for ; Tue, 3 Feb 2026 07:43:01 +0200 (EET) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Tue, 03 Feb 2026 05:43:00 -0000 Message-ID: <177009738157.25.2000979076685215586@4457048688e7> Message-ID-Hash: EMBEFLTT4OGZGGHJLQUBMOGYXM2QA7DW X-Message-ID-Hash: EMBEFLTT4OGZGGHJLQUBMOGYXM2QA7DW X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PR] avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame (PR #21635) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: oliverchang via ffmpeg-devel Cc: oliverchang Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #21635 opened by oliverchang URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21635 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21635.patch The `sub_packet` index in `QDM2Context` was not reset to 0 when `qdm2_decode_frame` started processing a new packet. If an error occurred during the decoding of a previous packet, `sub_packet` would retain a non-zero value. In subsequent calls to `qdm2_decode_frame` with a new packet, this non-zero `sub_packet` value caused `qdm2_decode` to skip `qdm2_decode_super_block`. This function is responsible for initializing packet lists with pointers to the current packet's data. Skipping it led to the use of stale pointers from the previous (freed) packet, resulting in a heap-use-after-free vulnerability. This patch explicitly resets `s->sub_packet = 0` at the beginning of `qdm2_decode_frame`, ensuring correct initialization for each new packet. Fixes: OSS-Fuzz issue 476179569 (https://issues.oss-fuzz.com/issues/476179569). >>From 553424b0a3ad4db22d1e68d3f46a8193ce88673e Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Tue, 3 Feb 2026 05:36:52 +0000 Subject: [PATCH] avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame The `sub_packet` index in `QDM2Context` was not reset to 0 when `qdm2_decode_frame` started processing a new packet. If an error occurred during the decoding of a previous packet, `sub_packet` would retain a non-zero value. In subsequent calls to `qdm2_decode_frame` with a new packet, this non-zero `sub_packet` value caused `qdm2_decode` to skip `qdm2_decode_super_block`. This function is responsible for initializing packet lists with pointers to the current packet's data. Skipping it led to the use of stale pointers from the previous (freed) packet, resulting in a heap-use-after-free vulnerability. This patch explicitly resets `s->sub_packet = 0` at the beginning of `qdm2_decode_frame`, ensuring correct initialization for each new packet. Fixes: OSS-Fuzz issue 476179569 (https://issues.oss-fuzz.com/issues/476179569). --- libavcodec/qdm2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index ec2ff7f022..796321f9d8 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1929,6 +1929,8 @@ static int qdm2_decode_frame(AVCodecContext *avctx, AVFrame *frame, if(buf_size < s->checksum_size) return AVERROR_INVALIDDATA; + s->sub_packet = 0; + /* get output buffer */ frame->nb_samples = 16 * s->frame_size; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org