PR #22411 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22411 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22411.patch
Without the specification, limiting the index is the best that can be done. a (still incomplete) specification based fix is here: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22345 iam submitting this, as i had written it before above and it also works while above does not yet, but hopefully will soon Fixes: out of array access Fixes: 487591441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6205915698364416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From d6f39780fb340aacc926733f09d576fb0d2c3efa Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Thu, 5 Mar 2026 15:40:45 +0100 Subject: [PATCH 1/2] avcodec/aac/aacdec_usac_mps212: Fix invalid shift Fixes: left shift of negative value -2 Fixes: 487591441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6205915698364416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec_usac_mps212.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aac/aacdec_usac_mps212.c b/libavcodec/aac/aacdec_usac_mps212.c index 17f570c518..e73665022c 100644 --- a/libavcodec/aac/aacdec_usac_mps212.c +++ b/libavcodec/aac/aacdec_usac_mps212.c @@ -544,7 +544,7 @@ static void coarse_to_fine(int16_t *data, enum AACMPSDataType data_type, int start_band, int end_band) { for (int i = start_band; i < end_band; i++) - data[i] <<= 1; + data[i] *= 2; if (data_type == MPS_CLD) { for (int i = start_band; i < end_band; i++) { if (data[i] == -14) -- 2.52.0 >From 866e0eb4369c144849e58e9c6b1241025c125e94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Thu, 5 Mar 2026 16:22:25 +0100 Subject: [PATCH 2/2] avcodec/aac/aacdec_usac_mps212: Fix invalid array index Without the specification, limiting the index is the best that can be done. Fixes: out of array access Fixes: 487591441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6205915698364416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec_usac_mps212.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aac/aacdec_usac_mps212.c b/libavcodec/aac/aacdec_usac_mps212.c index e73665022c..43b4930e1a 100644 --- a/libavcodec/aac/aacdec_usac_mps212.c +++ b/libavcodec/aac/aacdec_usac_mps212.c @@ -584,6 +584,9 @@ static int get_freq_strides(int16_t *freq_strides, int band_stride, } } + for (int i = 0; i <= data_bands; i++) + freq_strides[i] = av_clip_uintp2(freq_strides[i], 2); + return data_bands; } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
