[PATCH 0/2] media: meson: vdec: fix two more VP9 reference-frame lifetime bugs

Next message: Doruk Tan Ozturk: "[PATCH 1/2] media: meson: vdec: clear stale prev_frame/cur_frame on flush"
Previous message: Jernej &#x160;krabec: "Re: [PATCH] drm/sun4i: Remove dependency on DRM simple helpers"
Next in thread: Doruk Tan Ozturk: "[PATCH 1/2] media: meson: vdec: clear stale prev_frame/cur_frame on flush"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Doruk Tan Ozturk

Date: Sat Jun 27 2026 - 02:55:51 EST

While reviewing the earlier VP9 prev_frame use-after-free fix, a
Sashiko AI review of that change surfaced two further reference-frame
lifetime bugs in the same decoder, both rooted in vp9->prev_frame /
vp9->cur_frame not being managed across all decode entry points.

Patch 1 clears the cached prev_frame/cur_frame pointers in the .drain
flush path, which frees every ref_frames_list node but left those two
pointers aliasing freed memory; a decode resuming with an inter frame
would then dereference freed vp9_frame storage in
codec_vp9_set_mpred_mv() (use-after-free).

Patch 2 guards codec_vp9_set_mpred_mv() against vp9->prev_frame being
NULL, which happens when the first decoded frame is an inter frame
(malformed/adversarial input, or the first frame after a flush). The
function dereferences prev_frame unconditionally, both for the
use_prev_frame_mvs computation and for the previous-frame MV read
register programming, so the NULL case is a NULL pointer dereference.

Both issues were found by static analysis and are not yet runtime-
reproduced (Amlogic Meson hardware required).

Found by 0sec's autonomous vulnerability analysis (https://0sec.ai).

Doruk Tan Ozturk (2):
media: meson: vdec: clear stale prev_frame/cur_frame on flush
media: meson: vdec: guard against NULL prev_frame in
codec_vp9_set_mpred_mv()

drivers/staging/media/meson/vdec/codec_vp9.c | 37 ++++++++++++++++----
1 file changed, 30 insertions(+), 7 deletions(-)

--
2.53.0