avcodec/interplayvideo: Clean up frames on parameter change

Fixes: out of array access
Fixes: 2467/clusterfuzz-testcase-minimized-4755798049685504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 14 insertions, 0 deletions

diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
index d6f484aa09..deaa09cba6 100644
--- a/libavcodec/interplayvideo.c
+++ b/libavcodec/interplayvideo.c
@@ -1214,6 +1214,20 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
     if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) {
         av_frame_unref(s->last_frame);
         av_frame_unref(s->second_last_frame);
+        av_frame_unref(s->cur_decode_frame);
+        av_frame_unref(s->prev_decode_frame);
+    }
+
+    if (!s->cur_decode_frame->data[0]) {
+        ret = ff_get_buffer(avctx, s->cur_decode_frame, 0);
+        if (ret < 0)
+            return ret;
+
+        ret = ff_get_buffer(avctx, s->prev_decode_frame, 0);
+        if (ret < 0) {
+            av_frame_unref(s->cur_decode_frame);
+            return ret;
+        }
     }
 
     if (buf_size < 8)