This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit da3d9b0436aca27bf5c68de12ff3267ec0e3cb01 Author: Oliver Chang <[email protected]> AuthorDate: Tue Feb 3 05:36:52 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:54:58 2026 +0200 avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame The `sub_packet` index in `QDM2Context` was not reset to 0 when `qdm2_decode_frame` started processing a new packet. If an error occurred during the decoding of a previous packet, `sub_packet` would retain a non-zero value. In subsequent calls to `qdm2_decode_frame` with a new packet, this non-zero `sub_packet` value caused `qdm2_decode` to skip `qdm2_decode_super_block`. This function is responsible for initializing packet lists with pointers to the current packet's data. Skipping it led to the use of stale pointers from the previous (freed) packet, resulting in a heap-use-after-free vulnerability. This patch explicitly resets `s->sub_packet = 0` at the beginning of `qdm2_decode_frame`, ensuring correct initialization for each new packet. Fixes: OSS-Fuzz issue 476179569 (https://issues.oss-fuzz.com/issues/476179569). (cherry picked from commit a795ca89fa2f49f80cbe7a9fa323f278abf62e7f) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/qdm2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index 07dea55a76..157149ffbe 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1852,6 +1852,8 @@ static int qdm2_decode_frame(AVCodecContext *avctx, void *data, if(buf_size < s->checksum_size) return -1; + s->sub_packet = 0; + /* get output buffer */ frame->nb_samples = 16 * s->frame_size; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
