The function derive_mmvd in libavcodec/vvc/ctu.c used reference indices without validating them against the RPL size. This patch adds checks to prevent out-of-bounds memory access.
Signed-off-by: 0xBat <[email protected]> --- libavcodec/vvc/ctu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c index 18cbe0fe0f..8e4f003886 100644 --- a/libavcodec/vvc/ctu.c +++ b/libavcodec/vvc/ctu.c @@ -1287,6 +1287,8 @@ static void derive_mmvd(const VVCLocalContext *lc, MvField *mvf, const Mv *mmvd_ if (mvf->pred_flag == PF_BI) { const RefPicList *rpl = sc->rpl; const int poc = lc->fc->ps.ph.poc; + if (mvf->ref_idx[L0] >= rpl[L0].nb_refs || mvf->ref_idx[L1] >= rpl[L1].nb_refs) + return; const int diff[] = { poc - rpl[L0].refs[mvf->ref_idx[L0]].poc, poc - rpl[L1].refs[mvf->ref_idx[L1]].poc -- 2.52.0.windows.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
