libavcodec/mvha: Check height before applying median predictor

Fixes: out of array read
Fixes: 20495/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5711179129552896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

1 files changed, 7 insertions, 5 deletions

diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c
index afe5e511f2..1ea3bb3d76 100644
--- a/libavcodec/mvha.c
+++ b/libavcodec/mvha.c
@@ -256,12 +256,14 @@ static int decode_frame(AVCodecContext *avctx,
 
         dst = frame->data[p] + (avctx->height - 1) * frame->linesize[p];
         s->llviddsp.add_left_pred(dst, dst, width, 0);
-        dst -= stride;
-        lefttop = left = dst[0];
-        for (int y = 1; y < avctx->height; y++) {
-            s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
-            lefttop = left = dst[0];
+        if (avctx->height > 1) {
             dst -= stride;
+            lefttop = left = dst[0];
+            for (int y = 1; y < avctx->height; y++) {
+                s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
+                lefttop = left = dst[0];
+                dst -= stride;
+            }
         }
     }