PR #22353 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22353 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22353.patch
`spectrum_decode` currently executes Frequency Domain (FD) decoding steps for all channels, regardless of their `core_mode`. When a channel is in Linear Prediction Domain (LPD) mode (`core_mode == 1`), FD-specific parameters such as scalefactor offsets (`sfo`) and individual channel stream (`ics`) information are not parsed. This causes a global-buffer-overflow in `dequant_scalefactors`. Because `spectrum_scale` is called on LPD channels, it uses stale or uninitialized `sfo` values to index `ff_aac_pow2sf_tab`. In the reported crash, a stale `sfo` value of 240 resulted in an index of 440 (240 + POW_SF2_ZERO), exceeding the table's size of 428. Fix this by ensuring `spectrum_scale` and `imdct_and_windowing` are only called for channels where `core_mode == 0` (FD). Co-authored-by: CodeMender <[email protected]> Fixes: https://issues.oss-fuzz.com/486160985 >From e6c0c8e58059da6ef3f423777c0d5239857d2e05 Mon Sep 17 00:00:00 2001 From: Oliver Chang <[email protected]> Date: Tue, 24 Feb 2026 02:41:27 -0800 Subject: [PATCH] aacdec_usac: skip FD-specific decoding for LPD channels `spectrum_decode` currently executes Frequency Domain (FD) decoding steps for all channels, regardless of their `core_mode`. When a channel is in Linear Prediction Domain (LPD) mode (`core_mode == 1`), FD-specific parameters such as scalefactor offsets (`sfo`) and individual channel stream (`ics`) information are not parsed. This causes a global-buffer-overflow in `dequant_scalefactors`. Because `spectrum_scale` is called on LPD channels, it uses stale or uninitialized `sfo` values to index `ff_aac_pow2sf_tab`. In the reported crash, a stale `sfo` value of 240 resulted in an index of 440 (240 + POW_SF2_ZERO), exceeding the table's size of 428. Fix this by ensuring `spectrum_scale` and `imdct_and_windowing` are only called for channels where `core_mode == 0` (FD). Co-authored-by: CodeMender <[email protected]> Fixes: https://issues.oss-fuzz.com/486160985 --- libavcodec/aac/aacdec_usac.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index bed9747e9c..74a3badaf4 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -1293,7 +1293,8 @@ static void spectrum_decode(AACDecContext *ac, AACUSACConfig *usac, SingleChannelElement *sce = &cpe->ch[ch]; AACUsacElemData *ue = &sce->ue; - spectrum_scale(ac, sce, ue); + if (!ue->core_mode) + spectrum_scale(ac, sce, ue); } if (nb_channels > 1 && us->common_window) { @@ -1343,8 +1344,9 @@ static void spectrum_decode(AACDecContext *ac, AACUSACConfig *usac, if (sce->tns.present && ((nb_channels == 1) || (us->tns_on_lr))) ac->dsp.apply_tns(sce->coeffs, &sce->tns, &sce->ics, 1); - ac->oc[1].m4ac.frame_length_short ? ac->dsp.imdct_and_windowing_768(ac, sce) : - ac->dsp.imdct_and_windowing(ac, sce); + if (!sce->ue.core_mode) + ac->oc[1].m4ac.frame_length_short ? ac->dsp.imdct_and_windowing_768(ac, sce) : + ac->dsp.imdct_and_windowing(ac, sce); } } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
