This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new be82aef7cc lavc/aacdec_usac: fix CPE channel index in
ff_aac_usac_reset_state()
be82aef7cc is described below
commit be82aef7cc7ec9f4655bca4a01cc2396eee60a62
Author: Ruikai Peng <[email protected]>
AuthorDate: Wed Jan 14 19:16:43 2026 -0500
Commit: Lynne <[email protected]>
CommitDate: Thu Jan 15 19:32:52 2026 +0000
lavc/aacdec_usac: fix CPE channel index in ff_aac_usac_reset_state()
fix a simple index bug in ff_aac_usac_reset_state()
that writes past the end of ChannelElement.ch[2] for CPE
ff_aac_usac_reset_state() loops over channels with j < ch, but
incorrectly takes &che->ch[ch]. For CPE (ch == 2) this becomes
che->ch[2], which is one past the end of ChannelElement.ch[2], and the
subsequent memset() causes an intra-object out-of-bounds write.
index the channel element with the loop variable (j).
---
libavcodec/aac/aacdec_usac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
index c4b821bbba..237a247d5b 100644
--- a/libavcodec/aac/aacdec_usac.c
+++ b/libavcodec/aac/aacdec_usac.c
@@ -315,7 +315,7 @@ int ff_aac_usac_reset_state(AACDecContext *ac,
OutputConfiguration *oc)
ff_aac_sbr_config_usac(ac, che, e);
for (int j = 0; j < ch; j++) {
- SingleChannelElement *sce = &che->ch[ch];
+ SingleChannelElement *sce = &che->ch[j];
AACUsacElemData *ue = &sce->ue;
memset(ue, 0, sizeof(*ue));
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
