This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch master in repository ffmpeg.
commit d519ab89931212b4137e65b1530ebfca1d1fbbf9 Author: Oliver Chang <[email protected]> AuthorDate: Tue Feb 24 02:41:27 2026 -0800 Commit: Michael Niedermayer <[email protected]> CommitDate: Fri Mar 13 22:57:25 2026 +0100 aacdec_usac: skip FD-specific decoding for LPD channels `spectrum_decode` currently executes Frequency Domain (FD) decoding steps for all channels, regardless of their `core_mode`. When a channel is in Linear Prediction Domain (LPD) mode (`core_mode == 1`), FD-specific parameters such as scalefactor offsets (`sfo`) and individual channel stream (`ics`) information are not parsed. This causes a global-buffer-overflow in `dequant_scalefactors`. Because `spectrum_scale` is called on LPD channels, it uses stale or uninitialized `sfo` values to index `ff_aac_pow2sf_tab`. In the reported crash, a stale `sfo` value of 240 resulted in an index of 440 (240 + POW_SF2_ZERO), exceeding the table's size of 428. Fix this by ensuring `spectrum_scale` and `imdct_and_windowing` are only called for channels where `core_mode == 0` (FD). Co-authored-by: CodeMender <[email protected]> Fixes: https://issues.oss-fuzz.com/486160985 --- libavcodec/aac/aacdec_usac.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index 4331c7d8ff..687a5b6a3c 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -1296,7 +1296,8 @@ static void spectrum_decode(AACDecContext *ac, AACUSACConfig *usac, SingleChannelElement *sce = &cpe->ch[ch]; AACUsacElemData *ue = &sce->ue; - spectrum_scale(ac, sce, ue); + if (!ue->core_mode) + spectrum_scale(ac, sce, ue); } if (nb_channels > 1 && us->common_window) { @@ -1346,8 +1347,9 @@ static void spectrum_decode(AACDecContext *ac, AACUSACConfig *usac, if (sce->tns.present && ((nb_channels == 1) || (us->tns_on_lr))) ac->dsp.apply_tns(sce->coeffs, &sce->tns, &sce->ics, 1); - ac->oc[1].m4ac.frame_length_short ? ac->dsp.imdct_and_windowing_768(ac, sce) : - ac->dsp.imdct_and_windowing(ac, sce); + if (!sce->ue.core_mode) + ac->oc[1].m4ac.frame_length_short ? ac->dsp.imdct_and_windowing_768(ac, sce) : + ac->dsp.imdct_and_windowing(ac, sce); } } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
