vp9: fix mix-up of last-frame/cur-frame in frame size checks.

Fixes invalid reads in fuzzed7.ivf.
This commit is contained in:
Ronald S. Bultje 2014-02-07 20:14:38 -05:00 committed by Clément Bœsch
parent 669d4f9053
commit bbc3425fa2

View File

@ -525,8 +525,11 @@ static int decode_frame_header(AVCodecContext *ctx,
w = get_bits(&s->gb, 16) + 1; w = get_bits(&s->gb, 16) + 1;
h = get_bits(&s->gb, 16) + 1; h = get_bits(&s->gb, 16) + 1;
} }
s->use_last_frame_mvs &= s->frames[LAST_FRAME].tf.f->width == w && // Note that in this code, "CUR_FRAME" is actually before we
s->frames[LAST_FRAME].tf.f->height == h; // have formally allocated a frame, and thus actually represents
// the _last_ frame
s->use_last_frame_mvs &= s->frames[CUR_FRAME].tf.f->width == w &&
s->frames[CUR_FRAME].tf.f->height == h;
if (get_bits1(&s->gb)) // display size if (get_bits1(&s->gb)) // display size
skip_bits(&s->gb, 32); skip_bits(&s->gb, 32);
s->highprecisionmvs = get_bits1(&s->gb); s->highprecisionmvs = get_bits1(&s->gb);