vp9: fix mix-up of last-frame/cur-frame in frame size checks.

Fixes invalid reads in fuzzed7.ivf.
author: Ronald S. Bultje <rsbultje@gmail.com> 2014-02-07 20:14:38 -0500
committer: Clément Bœsch <u@pkh.me> 2014-02-08 11:18:37 +0100
commit: bbc3425fa25ef0ff830f6bb4a290d32ee7ad79f4 (patch)
tree: 11fee9bdcec24d20ce753467016ea33800d85979 /libavcodec/vp9.c
parent: 669d4f9053f931ceee513f76dba4ed131e4861a8 (diff)
download: ffmpeg-bbc3425fa25ef0ff830f6bb4a290d32ee7ad79f4.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 6d87b5765b..3545b32360 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -525,8 +525,11 @@ static int decode_frame_header(AVCodecContext *ctx,
                 w = get_bits(&s->gb, 16) + 1;
                 h = get_bits(&s->gb, 16) + 1;
             }
-            s->use_last_frame_mvs &= s->frames[LAST_FRAME].tf.f->width == w &&
-                                     s->frames[LAST_FRAME].tf.f->height == h;
+            // Note that in this code, "CUR_FRAME" is actually before we
+            // have formally allocated a frame, and thus actually represents
+            // the _last_ frame
+            s->use_last_frame_mvs &= s->frames[CUR_FRAME].tf.f->width == w &&
+                                     s->frames[CUR_FRAME].tf.f->height == h;
             if (get_bits1(&s->gb)) // display size
                 skip_bits(&s->gb, 32);
             s->highprecisionmvs = get_bits1(&s->gb);
author	Ronald S. Bultje <rsbultje@gmail.com>	2014-02-07 20:14:38 -0500
committer	Clément Bœsch <u@pkh.me>	2014-02-08 11:18:37 +0100
commit	bbc3425fa25ef0ff830f6bb4a290d32ee7ad79f4 (patch)
tree	11fee9bdcec24d20ce753467016ea33800d85979 /libavcodec/vp9.c
parent	669d4f9053f931ceee513f76dba4ed131e4861a8 (diff)
download	ffmpeg-bbc3425fa25ef0ff830f6bb4a290d32ee7ad79f4.tar.gz