shithub: dav1d

Download patch

ref: 604bbca896a6656d29493656f6a7c6e188321ff0
parent: 82d8807750ffc9ad5b864ac0605553a2211b297d
author: Janne Grunau <[email protected]>
date: Tue Oct 9 20:06:21 EDT 2018

decode: error out if the primary ref frame does not exist

Fixes a null pointer dereference with
clusterfuzz-testcase-minimized-dav1d_fuzzer-5670100066107392.
Credit to OSS-Fuzz

--- a/src/decode.c
+++ b/src/decode.c
@@ -2776,11 +2776,17 @@
     }
 #undef assign_bitdepth_case
 
-    if (f->frame_hdr.frame_type & 1)
+    if (f->frame_hdr.frame_type & 1) {
+        if (f->frame_hdr.primary_ref_frame != PRIMARY_REF_NONE) {
+            const int pri_ref = f->frame_hdr.refidx[f->frame_hdr.primary_ref_frame];
+            if (!c->refs[pri_ref].p.p.data[0])
+                return -EINVAL;
+        }
         for (int i = 0; i < 7; i++) {
             const int refidx = f->frame_hdr.refidx[i];
             dav1d_thread_picture_ref(&f->refp[i], &c->refs[refidx].p);
         }
+    }
 
     // setup entropy
     if (f->frame_hdr.primary_ref_frame == PRIMARY_REF_NONE) {