From d6458f6a8bf188a9b323962b7cb01dc855a89936 Mon Sep 17 00:00:00 2001 From: Oliver Chang Date: Wed, 3 Dec 2025 04:53:09 +0000 Subject: [PATCH] avcodec/aacdec: Fix heap-use-after-free in USAC decoding A heap-use-after-free vulnerability was identified in `libavcodec/aac/aacdec.c`. When `che_configure` frees a `ChannelElement` (`ac->che[type][id]`), it failed to clear all references to it in `ac->tag_che_map`. `ac->tag_che_map` caches pointers to `ChannelElement`s and can contain cross-type mappings (e.g., a `TYPE_SCE` tag mapping to a `TYPE_LFE` element). In a USAC stream reconfiguration scenario, an LFE element was freed, but a stale pointer remained in `ac->tag_che_map`. Subsequent calls to `ff_aac_get_che` returned this dangling pointer, leading to a crash in `decode_usac_core_coder`. This commit fixes the issue by iterating over the entire `ac->tag_che_map` in `che_configure` and clearing any entries that point to the `ChannelElement` about to be freed, ensuring no dangling pointers remain. Fixes: https://issues.oss-fuzz.com/issues/440220467 --- libavcodec/aac/aacdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c index 9b42014ee8..b8d53036d4 100644 --- a/libavcodec/aac/aacdec.c +++ b/libavcodec/aac/aacdec.c @@ -164,6 +164,12 @@ static av_cold int che_configure(AACDecContext *ac, } } else { if (ac->che[type][id]) { + for (int i = 0; i < FF_ARRAY_ELEMS(ac->tag_che_map); i++) { + for (int j = 0; j < MAX_ELEM_ID; j++) { + if (ac->tag_che_map[i][j] == ac->che[type][id]) + ac->tag_che_map[i][j] = NULL; + } + } ac->proc.sbr_ctx_close(ac->che[type][id]); } av_freep(&ac->che[type][id]);