[CVE-2017-17129] vc1: skip motion compensation when data fro last picture is invalid

Bug-Id: 1101
Cc: libav-stable@libav.org
(cherry picked from commit 5085f25ace1e74846a0de3369bedd0e22d1a1bdc)
Signed-off-by: Sean McGovern <gseanmcg@gmail.com>
Change-Id: I5f13d62d569ac3262a35ff11a3808abb59eff67a
(cherry picked from commit 7be0ce8d7175a1a3dcbd165c303107e294bf8171)

diff --git a/libavcodec/vc1_mc.c b/libavcodec/vc1_mc.c
index f4632d6..18ac47a 100644 (file)
--- a/libavcodec/vc1_mc.c
+++ b/libavcodec/vc1_mc.c
@@ -689,6 +689,11 @@ void ff_vc1_mc_4mv_chroma4(VC1Context *v, int dir, int dir2, int avg)
     if (s->avctx->flags & AV_CODEC_FLAG_GRAY)
         return;
 
+    if (!s->last_picture.f->data[1]) {
+      av_log(s->avctx, AV_LOG_ERROR, "Bad data in last picture frame.\n");
+      return;
+    }
+
     for (i = 0; i < 4; i++) {
         int d = i < 2 ? dir: dir2;
         tx = s->mv[d][i][0];