From: Anton Khirnov <anton@khirnov.net>
Date: Mon, 8 Apr 2013 20:12:12 +0000 (+0200)
Subject: svq1dec: check that the reference frame has the same dimensions as the current one
X-Git-Tag: v10_alpha1~1784
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b1bb8fb860b47e90dd67f0c5740698128fc82dcc;p=platform%2Fupstream%2Flibav.git

svq1dec: check that the reference frame has the same dimensions as the current one

They can be different if the last keyframe failed to decode correctly.
Fixes possible invalid reads in such a case.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
---

diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index d9e6f7e..156b960 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -689,7 +689,8 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,
         } else {
             /* delta frame */
             uint8_t *previous = s->prev->data[i];
-            if (!previous) {
+            if (!previous ||
+                s->prev->width != s->width || s->prev->height != s->height) {
                 av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n");
                 result = AVERROR_INVALIDDATA;
                 goto err;