This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit c3795bf59a414ae3156940e229a14279a2991657 Author: James Almer <[email protected]> AuthorDate: Sun May 3 12:58:27 2026 -0300 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 19:27:36 2026 +0200 avcodec/av1dec: check that primary_ref_frame is within range Fixes CVE-2026-30997 Fixes: Out-of-Bounds Access Found-by: Xinghang Lv Signed-off-by: James Almer <[email protected]> (cherry picked from commit 1a2c16fe514b60e1860829c42ce199de77a007e5) (cherry picked from commit 3c4ca300f469d657051c8584515870fe9c36aaa3) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/av1dec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index d6974a43a4..b70632135e 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -85,12 +85,11 @@ static int32_t decode_signed_subexp_with_ref(uint32_t sub_exp, int low, static void read_global_param(AV1DecContext *s, int type, int ref, int idx) { - uint8_t primary_frame, prev_frame; + int primary_frame; uint32_t abs_bits, prec_bits, round, prec_diff, sub, mx; int32_t r, prev_gm_param; primary_frame = s->raw_frame_header->primary_ref_frame; - prev_frame = s->raw_frame_header->ref_frame_idx[primary_frame]; abs_bits = AV1_GM_ABS_ALPHA_BITS; prec_bits = AV1_GM_ALPHA_PREC_BITS; @@ -100,8 +99,10 @@ static void read_global_param(AV1DecContext *s, int type, int ref, int idx) */ if (s->raw_frame_header->primary_ref_frame == AV1_PRIMARY_REF_NONE) prev_gm_param = s->cur_frame.gm_params[ref][idx]; - else + else { + int prev_frame = s->raw_frame_header->ref_frame_idx[primary_frame]; prev_gm_param = s->ref[prev_frame].gm_params[ref][idx]; + } if (idx < 2) { if (type == AV1_WARP_MODEL_TRANSLATION) { _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
