svq1dec: check that the reference frame has the same dimensions as the current one

They can be different if the last keyframe failed to decode correctly. Fixes possible invalid reads in such a case. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
author: Anton Khirnov <anton@khirnov.net> 2013-04-08 22:12:12 +0200
committer: Anton Khirnov <anton@khirnov.net> 2013-04-17 10:55:30 +0200
commit: b1bb8fb860b47e90dd67f0c5740698128fc82dcc (patch)
tree: 248ef12bc1d5eb5d9f0070861b85008dbce2c90e
parent: c0771a1ac6da697f86e3b10c8fe5dbc2ee92e347 (diff)
download: ffmpeg-b1bb8fb860b47e90dd67f0c5740698128fc82dcc.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index d9e6f7ea45..156b960859 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -689,7 +689,8 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,
         } else {
             /* delta frame */
             uint8_t *previous = s->prev->data[i];
-            if (!previous) {
+            if (!previous ||
+                s->prev->width != s->width || s->prev->height != s->height) {
                 av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n");
                 result = AVERROR_INVALIDDATA;
                 goto err;
author	Anton Khirnov <anton@khirnov.net>	2013-04-08 22:12:12 +0200
committer	Anton Khirnov <anton@khirnov.net>	2013-04-17 10:55:30 +0200
commit	b1bb8fb860b47e90dd67f0c5740698128fc82dcc (patch)
tree	248ef12bc1d5eb5d9f0070861b85008dbce2c90e
parent	c0771a1ac6da697f86e3b10c8fe5dbc2ee92e347 (diff)
download	ffmpeg-b1bb8fb860b47e90dd67f0c5740698128fc82dcc.tar.gz