xaymar/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/av1dec: check that primary_ref_frame is within range

Browse Source 
Fixes CVE-2026-30997

Fixes: Out-of-Bounds Access
Found-by: Xinghang Lv
Signed-off-by: James Almer <jamrial@gmail.com>
This commit is contained in:
James Almer
2026-05-03 12:58:27 -03:00
parent f80431dc4e
commit 1a2c16fe51
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libavcodec/av1dec.c
+4 -3
View File
@@ -99,12 +99,11 @@ static int32_t decode_signed_subexp_with_ref(uint32_t sub_exp, int low,
static void read_global_param(AV1DecContext *s, int type, int ref, int idx)
{
uint8_t primary_frame, prev_frame;
int primary_frame;
uint32_t abs_bits, prec_bits, round, prec_diff, sub, mx;
int32_t r, prev_gm_param;
primary_frame = s->raw_frame_header->primary_ref_frame;
prev_frame = s->raw_frame_header->ref_frame_idx[primary_frame];
abs_bits = AV1_GM_ABS_ALPHA_BITS;
prec_bits = AV1_GM_ALPHA_PREC_BITS;
@@ -114,8 +113,10 @@ static void read_global_param(AV1DecContext *s, int type, int ref, int idx)
*/
if (s->raw_frame_header->primary_ref_frame == AV1_PRIMARY_REF_NONE)
prev_gm_param = s->cur_frame.gm_params[ref][idx];
else
else {
int prev_frame = s->raw_frame_header->ref_frame_idx[primary_frame];
prev_gm_param = s->ref[prev_frame].gm_params[ref][idx];
}
if (idx < 2) {
if (type == AV1_WARP_MODEL_TRANSLATION) {