PR #23713 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23713
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23713.patch

Fixes: read of uninitialized memory
Fixes: 
528525234/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-6429204661731328
Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg



>From 3e6381079994adc07f11b22936afd99daf287ff1 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Sun, 5 Jul 2026 03:22:13 +0200
Subject: [PATCH] avformat/spdif: fix reading past the buffer when probing AAC
 in IEC 61937

Fixes: read of uninitialized memory
Fixes: 
528525234/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-6429204661731328
Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
---
 libavformat/spdifdec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c
index dcfe471f45..fe45deb157 100644
--- a/libavformat/spdifdec.c
+++ b/libavformat/spdifdec.c
@@ -142,7 +142,10 @@ int ff_spdif_probe(const uint8_t *p_buf, int buf_size, 
enum AVCodecID *codec)
             } else
                 consecutive_codes = 0;
 
-            if (buf + 4 + AV_AAC_ADTS_HEADER_SIZE > p_buf + buf_size)
+            /* spdif_get_offset_and_codec() parses AV_AAC_ADTS_HEADER_SIZE
+             * bytes starting at buf[5] (the payload after the 4 byte sync and
+             * the Pc/Pd burst header), so that many bytes must be available. 
*/
+            if (buf + 5 + AV_AAC_ADTS_HEADER_SIZE > p_buf + buf_size)
                 break;
 
             /* continue probing to find more sync codes */
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to