avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails

Fixes: out of array access Fixes: 70734/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4741427068731392 Fixes: 383194070/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5302387708854272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Lynne <dev@lynne.ee> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-02-26 08:41:38 +00:00 · 2024-07-31 20:59:49 +02:00 · 2024-07-31 20:59:49 +02:00 · 682d710bcb
commit 682d710bcb
parent 1e76bd2f39
1 changed files with 3 additions and 1 deletions
--- a/libavcodec/aac/aacdec_usac.c
+++ b/libavcodec/aac/aacdec_usac.c
@ -917,8 +917,10 @@ static int decode_usac_stereo_info(AACDecContext *ac, AACUSACConfig *usac,
        }

        ret = setup_sce(ac, sce1, usac);
-        if (ret < 0)
+        if (ret < 0) {
+            ics2->max_sfb = 0;
            return ret;
+        }

        ret = setup_sce(ac, sce2, usac);
        if (ret < 0)