Does CVE-2024-1580 affect libavif with dav1d decoder?

[friedfalafell0w]

I have a project that uses libavif with dav1d decoder, which has a recent bug (CVE-2024-1580). I'm not sure if libavif is affected though, and I would appreciate some help to confirm this in order to decide whether I need to update immediately.

The vulnerable code path in dav1d is only reached when c->n_fc > 1 (https://code.videolan.org/videolan/dav1d/-/blob/2b475307dc11be9a1c3cc4358102c76a7f386a51/src/decode.c#L2845), where c is the dav1d context.

The way libavif calls into dav1d, the max frame delay is hardcoded to 1 in the dav1d settings (https://github.com/AOMediaCodec/libavif/blob/main/src/codec_dav1d.c#L63), which intern means that c->n_fc in dav1d is always 1 (https://code.videolan.org/videolan/dav1d/-/blob/master/src/lib.c?ref_type=heads#L122).

From my understand, this should mean that libavif isn't affected. Am I missing something?

[jzern]

I believe this required large frame sizes (https://crbug.com/325284120 for those with access). libavif sets a default of 16384x16384 like Chrome does, so wouldn't be vulnerable unless this size was increased.

And yes, it looks like having a frame delay > 1 was necessary.