From 1a2c16fe514b60e1860829c42ce199de77a007e5 Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 3 May 2026 12:58:27 -0300 Subject: [PATCH] avcodec/av1dec: check that primary_ref_frame is within range Fixes CVE-2026-30997 Fixes: Out-of-Bounds Access Found-by: Xinghang Lv Signed-off-by: James Almer --- libavcodec/av1dec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index 90621caeb6..a7383a88be 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -99,12 +99,11 @@ static int32_t decode_signed_subexp_with_ref(uint32_t sub_exp, int low, static void read_global_param(AV1DecContext *s, int type, int ref, int idx) { - uint8_t primary_frame, prev_frame; + int primary_frame; uint32_t abs_bits, prec_bits, round, prec_diff, sub, mx; int32_t r, prev_gm_param; primary_frame = s->raw_frame_header->primary_ref_frame; - prev_frame = s->raw_frame_header->ref_frame_idx[primary_frame]; abs_bits = AV1_GM_ABS_ALPHA_BITS; prec_bits = AV1_GM_ALPHA_PREC_BITS; @@ -114,8 +113,10 @@ static void read_global_param(AV1DecContext *s, int type, int ref, int idx) */ if (s->raw_frame_header->primary_ref_frame == AV1_PRIMARY_REF_NONE) prev_gm_param = s->cur_frame.gm_params[ref][idx]; - else + else { + int prev_frame = s->raw_frame_header->ref_frame_idx[primary_frame]; prev_gm_param = s->ref[prev_frame].gm_params[ref][idx]; + } if (idx < 2) { if (type == AV1_WARP_MODEL_TRANSLATION) {