github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-20 21:00:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame

Browse Source 
The `sub_packet` index in `QDM2Context` was not reset to 0 when
`qdm2_decode_frame` started processing a new packet. If an error
occurred during the decoding of a previous packet, `sub_packet` would
retain a non-zero value.

In subsequent calls to `qdm2_decode_frame` with a new packet, this
non-zero `sub_packet` value caused `qdm2_decode` to skip
`qdm2_decode_super_block`. This function is responsible for initializing
packet lists with pointers to the current packet's data. Skipping it led
to the use of stale pointers from the previous (freed) packet, resulting
in a heap-use-after-free vulnerability.

This patch explicitly resets `s->sub_packet = 0` at the beginning of
`qdm2_decode_frame`, ensuring correct initialization for each new
packet.

Fixes: OSS-Fuzz issue 476179569
(https://issues.oss-fuzz.com/issues/476179569).
This commit is contained in:
Oliver Chang
2026-02-03 05:36:52 +00:00
committed by James Almer
parent 17d89757cd
commit a795ca89fa
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libavcodec/qdm2.c
View File

@@ -1929,6 +1929,8 @@ static int qdm2_decode_frame(AVCodecContext *avctx, AVFrame *frame,
if(buf_size < s->checksum_size)
return AVERROR_INVALIDDATA;
s->sub_packet = 0;
/* get output buffer */
frame->nb_samples = 16 * s->frame_size;
if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)