From b1bb8fb860b47e90dd67f0c5740698128fc82dcc Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Mon, 8 Apr 2013 22:12:12 +0200
Subject: [PATCH] svq1dec: check that the reference frame has the same
 dimensions as the current one

They can be different if the last keyframe failed to decode correctly.
Fixes possible invalid reads in such a case.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
---
 libavcodec/svq1dec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index d9e6f7ea450..156b9608590 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -689,7 +689,8 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,
         } else {
             /* delta frame */
             uint8_t *previous = s->prev->data[i];
-            if (!previous) {
+            if (!previous ||
+                s->prev->width != s->width || s->prev->height != s->height) {
                 av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n");
                 result = AVERROR_INVALIDDATA;
                 goto err;
-- 
GitLab