avcodec/aacdec: Fix heap-use-after-free in USAC decoding

A heap-use-after-free vulnerability was identified in `libavcodec/aac/aacdec.c`. When `che_configure` frees a `ChannelElement` (`ac->che[type][id]`), it failed to clear all references to it in `ac->tag_che_map`. `ac->tag_che_map` caches pointers to `ChannelElement`s and can contain cross-type mappings (e.g., a `TYPE_SCE` tag mapping to a `TYPE_LFE` element). In a USAC stream reconfiguration scenario, an LFE element was freed, but a stale pointer remained in `ac->tag_che_map`. Subsequent calls to `ff_aac_get_che` returned this dangling pointer, leading to a crash in `decode_usac_core_coder`. This commit fixes the issue by iterating over the entire `ac->tag_che_map` in `che_configure` and clearing any entries that point to the `ChannelElement` about to be freed, ensuring no dangling pointers remain. Fixes: https://issues.oss-fuzz.com/issues/440220467
2026-01-12 00:06:51 +08:00 · 2025-12-03 04:53:09 +00:00
parent 7922d4ca7d
commit d6458f6a8b
1 changed files with 6 additions and 0 deletions
--- a/libavcodec/aac/aacdec.c
+++ b/libavcodec/aac/aacdec.c
@@ -164,6 +164,12 @@ static av_cold int che_configure(AACDecContext *ac,
        }
    } else {
        if (ac->che[type][id]) {
+            for (int i = 0; i < FF_ARRAY_ELEMS(ac->tag_che_map); i++) {
+                for (int j = 0; j < MAX_ELEM_ID; j++) {
+                    if (ac->tag_che_map[i][j] == ac->che[type][id])
+                        ac->tag_che_map[i][j] = NULL;
+                }
+            }
            ac->proc.sbr_ctx_close(ac->che[type][id]);
        }
        av_freep(&ac->che[type][id]);