This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

commit 15bbf3a21d11847de21aa429ec22acf9424953ec
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Sun Jul 5 03:22:13 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Thu Jul 9 02:53:53 2026 +0000

    avformat/spdif: fix reading past the buffer when probing AAC in IEC 61937
    
    Fixes: read of uninitialized memory
    Fixes: 
528525234/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-6429204661731328
    Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libavformat/spdifdec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c
index dcfe471f45..fe45deb157 100644
--- a/libavformat/spdifdec.c
+++ b/libavformat/spdifdec.c
@@ -142,7 +142,10 @@ int ff_spdif_probe(const uint8_t *p_buf, int buf_size, 
enum AVCodecID *codec)
             } else
                 consecutive_codes = 0;
 
-            if (buf + 4 + AV_AAC_ADTS_HEADER_SIZE > p_buf + buf_size)
+            /* spdif_get_offset_and_codec() parses AV_AAC_ADTS_HEADER_SIZE
+             * bytes starting at buf[5] (the payload after the 4 byte sync and
+             * the Pc/Pd burst header), so that many bytes must be available. 
*/
+            if (buf + 5 + AV_AAC_ADTS_HEADER_SIZE > p_buf + buf_size)
                 break;
 
             /* continue probing to find more sync codes */

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to