[PATCH] media: cedrus: skip invalid H.264 reference list entries

Next message: Herve Codina: "Re: [PATCH net-next 00/10] net: lan966x: add support for PCIe FDMA"
Previous message: Alice Ryhl: "Re: [PATCH v3 0/4] rust: Add ARef support for work items"
Next in thread: Jernej &#x160;krabec: "Re: [PATCH] media: cedrus: skip invalid H.264 reference list entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Tue Mar 24 2026 - 04:25:20 EST

Cedrus consumes H.264 ref_pic_list0/ref_pic_list1 entries from the
stateless slice control and later uses their indices to look up
decode->dpb[] in _cedrus_write_ref_list().

Rejecting such controls in cedrus_try_ctrl() would break existing
userspace, since stateless H.264 reference lists may legitimately carry
out-of-range indices for missing references. Instead, guard the actual
DPB lookup in Cedrus and skip entries whose indices do not fit the fixed
V4L2_H264_NUM_DPB_ENTRIES array.

This keeps the fix local to the driver use site and avoids out-of-bounds
reads from malformed or unsupported reference list entries.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/staging/media/sunxi/cedrus/cedrus_h264.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_h264.c b/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
--- a/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
@@ -210,6 +210,9 @@ static void _cedrus_write_ref_list(struct cedrus_ctx *ctx,
u8 dpb_idx;

dpb_idx = ref_list[i].index;
+ if (dpb_idx >= V4L2_H264_NUM_DPB_ENTRIES)
+ continue;
+
dpb = &decode->dpb[dpb_idx];

if (!(dpb->flags & V4L2_H264_DPB_ENTRY_FLAG_ACTIVE))
--
2.50.1