avcodec/cbs_av1_syntax_template: Check ref_frame_idx before use

Fixes: index -1 out of bounds for type 'AV1ReferenceFrameState [8]' Fixes: 16079/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5758807440883712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer <jamrial@gmail.com> See: [FFmpeg-devel] [PATCH 05/13] avcodec/cbs_av1_syntax_template: Check ref_frame_idx before use Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-12-23 12:43:46 +02:00 · 2019-08-04 09:51:26 +02:00 · 2019-08-04 09:51:26 +02:00 · 8174e5c77d
commit 8174e5c77d
parent 392c028cd2
1 changed files with 4 additions and 3 deletions
--- a/libavcodec/cbs_av1_syntax_template.c
+++ b/libavcodec/cbs_av1_syntax_template.c
@ -419,16 +419,17 @@ static int FUNC(frame_size_with_refs)(CodedBitstreamContext *ctx, RWContext *rw,
    for (i = 0; i < AV1_REFS_PER_FRAME; i++) {
        flags(found_ref[i], 1, i);
        if (current->found_ref[i]) {
-            AV1ReferenceFrameState *ref =
-                &priv->ref[current->ref_frame_idx[i]];
+            AV1ReferenceFrameState *ref;

-            if (!ref->valid) {
+            if (current->ref_frame_idx[i] < 0 ||
+                !priv->ref[current->ref_frame_idx[i]].valid) {
                av_log(ctx->log_ctx, AV_LOG_ERROR,
                       "Missing reference frame needed for frame size "
                       "(ref = %d, ref_frame_idx = %d).\n",
                       i, current->ref_frame_idx[i]);
                return AVERROR_INVALIDDATA;
            }
+            ref = &priv->ref[current->ref_frame_idx[i]];

            priv->upscaled_width = ref->upscaled_width;
            priv->frame_width    = ref->frame_width;