On Wed, 14 Jan 2026, 18:22 ruikai via ffmpeg-devel, <[email protected]> wrote:
> PR #21469 opened by ruikai > URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21469 > Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21469.patch > > fix a simple index bug in ff_aac_usac_reset_state() > that writes past the end of ChannelElement.ch[2] for CPE > > ff_aac_usac_reset_state() loops over channels with j < ch, but > incorrectly takes &che->ch[ch]. For CPE (ch == 2) this becomes > che->ch[2], which is one past the end of ChannelElement.ch[2], and the > subsequent memset() causes an intra-object out-of-bounds write. > > index the channel element with the loop variable (j). > > > >From c8b8c41a6b2a3de017aaacb4cdc076cbd2cb8754 Mon Sep 17 00:00:00 2001 > From: Ruikai Peng <[email protected]> > Date: Wed, 14 Jan 2026 19:16:43 -0500 > Subject: [PATCH] lavc/aacdec_usac: fix CPE channel index in > ff_aac_usac_reset_state() > > fix a simple index bug in ff_aac_usac_reset_state() > that writes past the end of ChannelElement.ch[2] for CPE > > ff_aac_usac_reset_state() loops over channels with j < ch, but > incorrectly takes &che->ch[ch]. For CPE (ch == 2) this becomes > che->ch[2], which is one past the end of ChannelElement.ch[2], and the > subsequent memset() causes an intra-object out-of-bounds write. > > index the channel element with the loop variable (j). > --- > libavcodec/aac/aacdec_usac.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c > index c4b821bbba..237a247d5b 100644 > --- a/libavcodec/aac/aacdec_usac.c > +++ b/libavcodec/aac/aacdec_usac.c > @@ -315,7 +315,7 @@ int ff_aac_usac_reset_state(AACDecContext *ac, > OutputConfiguration *oc) > ff_aac_sbr_config_usac(ac, che, e); > > for (int j = 0; j < ch; j++) { > - SingleChannelElement *sce = &che->ch[ch]; > + SingleChannelElement *sce = &che->ch[j]; > AACUsacElemData *ue = &sce->ue; > > memset(ue, 0, sizeof(*ue)); > -- > 2.49.1 > > _______________________________________________ > ffmpeg-devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] LGTM > > _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
