[FFmpeg-devel] [PATCH 1/4] avcodec/opus/dec: Don't use outdated size

Andreas Rheinhardt ffmpegagent at gmail.com
Fri Jul 4 13:35:18 EEST 2025 

From: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>

When flushing, the code would use subpacket sizes from the last
proper packet sent and use this to offset the NULL buf variable
which is UB (this happens in the opus-testvector02 FATE-test).

This also has the potential to make buf != NULL, so that one
would enter the codepath for non-flush packets and try to parse
a subpacket, erroring out because the size would be negative
(I don't have a sample for this as the testvector02 sample
only uses one stream).

Fix this by not using wrong sizes.

Fixes: libavcodec/opus/dec.c:588:18: runtime error: applying non-zero offset 10 to null pointer

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
---
 libavcodec/opus/dec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/opus/dec.c b/libavcodec/opus/dec.c
index 6c59dc1f46..a43146c82c 100644
--- a/libavcodec/opus/dec.c
+++ b/libavcodec/opus/dec.c
@@ -484,6 +484,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
     int coded_samples   = 0;
     int decoded_samples = INT_MAX;
     int delayed_samples = 0;
+    int subpacket_size  = 0;
     int i, ret;
 
     /* calculate the number of delayed samples */
@@ -504,6 +505,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
             return ret;
         }
         coded_samples += pkt->frame_count * pkt->frame_duration;
+        subpacket_size = pkt->packet_size;
         c->streams[0].silk_samplerate = get_silk_samplerate(pkt->config);
     }
 
@@ -575,6 +577,7 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
                 return AVERROR_INVALIDDATA;
             }
 
+            subpacket_size     = s->packet.packet_size;
             s->silk_samplerate = get_silk_samplerate(s->packet.config);
         }
 
@@ -585,8 +588,8 @@ static int opus_decode_packet(AVCodecContext *avctx, AVFrame *frame,
         s->decoded_samples = ret;
         decoded_samples       = FFMIN(decoded_samples, ret);
 
-        buf      += s->packet.packet_size;
-        buf_size -= s->packet.packet_size;
+        buf       = FF_PTR_ADD(buf, subpacket_size);
+        buf_size -= subpacket_size;
     }
 
     /* buffer the extra samples */
-- 
ffmpeg-codebot

More information about the ffmpeg-devel mailing list