This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/7.1 in repository ffmpeg.
commit 5f399cd8c148806acd57dc3dc1ae716366c9e7cb Author: Oliver Chang <[email protected]> AuthorDate: Tue Feb 3 05:36:52 2026 +0000 Commit: Michael Niedermayer <[email protected]> CommitDate: Mon May 4 15:57:04 2026 +0200 avcodec/qdm2: fix heap-use-after-free in qdm2_decode_frame The `sub_packet` index in `QDM2Context` was not reset to 0 when `qdm2_decode_frame` started processing a new packet. If an error occurred during the decoding of a previous packet, `sub_packet` would retain a non-zero value. In subsequent calls to `qdm2_decode_frame` with a new packet, this non-zero `sub_packet` value caused `qdm2_decode` to skip `qdm2_decode_super_block`. This function is responsible for initializing packet lists with pointers to the current packet's data. Skipping it led to the use of stale pointers from the previous (freed) packet, resulting in a heap-use-after-free vulnerability. This patch explicitly resets `s->sub_packet = 0` at the beginning of `qdm2_decode_frame`, ensuring correct initialization for each new packet. Fixes: OSS-Fuzz issue 476179569 (https://issues.oss-fuzz.com/issues/476179569). (cherry picked from commit a795ca89fa2f49f80cbe7a9fa323f278abf62e7f) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/qdm2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index e629e3b42a..b4aaf179f4 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1857,6 +1857,8 @@ static int qdm2_decode_frame(AVCodecContext *avctx, AVFrame *frame, if(buf_size < s->checksum_size) return -1; + s->sub_packet = 0; + /* get output buffer */ frame->nb_samples = 16 * s->frame_size; if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
