Commit 604bbca8 authored by Janne Grunau's avatar Janne Grunau

decode: error out if the primary ref frame does not exist

Fixes a null pointer dereference with
clusterfuzz-testcase-minimized-dav1d_fuzzer-5670100066107392.
Credit to OSS-Fuzz
parent 82d88077
......@@ -2776,11 +2776,17 @@ int dav1d_submit_frame(Dav1dContext *const c) {
}
#undef assign_bitdepth_case
if (f->frame_hdr.frame_type & 1)
if (f->frame_hdr.frame_type & 1) {
if (f->frame_hdr.primary_ref_frame != PRIMARY_REF_NONE) {
const int pri_ref = f->frame_hdr.refidx[f->frame_hdr.primary_ref_frame];
if (!c->refs[pri_ref].p.p.data[0])
return -EINVAL;
}
for (int i = 0; i < 7; i++) {
const int refidx = f->frame_hdr.refidx[i];
dav1d_thread_picture_ref(&f->refp[i], &c->refs[refidx].p);
}
}
// setup entropy
if (f->frame_hdr.primary_ref_frame == PRIMARY_REF_NONE) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment