This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 1a2c16fe51 avcodec/av1dec: check that primary_ref_frame is within range
1a2c16fe51 is described below
commit 1a2c16fe514b60e1860829c42ce199de77a007e5
Author: James Almer <[email protected]>
AuthorDate: Sun May 3 12:58:27 2026 -0300
Commit: James Almer <[email protected]>
CommitDate: Sun May 3 15:55:21 2026 -0300
avcodec/av1dec: check that primary_ref_frame is within range
Fixes CVE-2026-30997
Fixes: Out-of-Bounds Access
Found-by: Xinghang Lv
Signed-off-by: James Almer <[email protected]>
---
libavcodec/av1dec.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c
index 90621caeb6..a7383a88be 100644
--- a/libavcodec/av1dec.c
+++ b/libavcodec/av1dec.c
@@ -99,12 +99,11 @@ static int32_t decode_signed_subexp_with_ref(uint32_t
sub_exp, int low,
static void read_global_param(AV1DecContext *s, int type, int ref, int idx)
{
- uint8_t primary_frame, prev_frame;
+ int primary_frame;
uint32_t abs_bits, prec_bits, round, prec_diff, sub, mx;
int32_t r, prev_gm_param;
primary_frame = s->raw_frame_header->primary_ref_frame;
- prev_frame = s->raw_frame_header->ref_frame_idx[primary_frame];
abs_bits = AV1_GM_ABS_ALPHA_BITS;
prec_bits = AV1_GM_ALPHA_PREC_BITS;
@@ -114,8 +113,10 @@ static void read_global_param(AV1DecContext *s, int type,
int ref, int idx)
*/
if (s->raw_frame_header->primary_ref_frame == AV1_PRIMARY_REF_NONE)
prev_gm_param = s->cur_frame.gm_params[ref][idx];
- else
+ else {
+ int prev_frame = s->raw_frame_header->ref_frame_idx[primary_frame];
prev_gm_param = s->ref[prev_frame].gm_params[ref][idx];
+ }
if (idx < 2) {
if (type == AV1_WARP_MODEL_TRANSLATION) {
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
