libavcodec/mvha: Check height before applying median predictor

Fixes: out of array read Fixes: 20495/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5711179129552896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-02-09 17:02:45 +0300
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-02-10 01:33:18 +0300
commit: c9c958051cc91604b9427229d648e65e782476d4 (patch)
tree: 34bc75db5528d0e8afb083abb023985be828d3f7 /libavcodec/mvha.c
parent: b0eec1391e1daeade456698b1aee9b2d43a6f538 (diff)
1 files changed, 7 insertions, 5 deletions
diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c
index afe5e511f2..1ea3bb3d76 100644
--- a/libavcodec/mvha.c
+++ b/libavcodec/mvha.c
@@ -256,12 +256,14 @@ static int decode_frame(AVCodecContext *avctx,
 
         dst = frame->data[p] + (avctx->height - 1) * frame->linesize[p];
         s->llviddsp.add_left_pred(dst, dst, width, 0);
-        dst -= stride;
-        lefttop = left = dst[0];
-        for (int y = 1; y < avctx->height; y++) {
-            s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
-            lefttop = left = dst[0];
+        if (avctx->height > 1) {
             dst -= stride;
+            lefttop = left = dst[0];
+            for (int y = 1; y < avctx->height; y++) {
+                s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
+                lefttop = left = dst[0];
+                dst -= stride;
+            }
         }
     }
author	Michael Niedermayer <michael@niedermayer.cc>	2020-02-09 17:02:45 +0300
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-02-10 01:33:18 +0300
commit	c9c958051cc91604b9427229d648e65e782476d4 (patch)
tree	34bc75db5528d0e8afb083abb023985be828d3f7 /libavcodec/mvha.c
parent	b0eec1391e1daeade456698b1aee9b2d43a6f538 (diff)