From 5430839144c6da0160e8e0cfb0c8db01de432e94 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Thu, 28 Nov 2013 10:54:35 +0100
Subject: eacmv: clear references on frame dimensions change

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
---
 libavcodec/eacmv.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'libavcodec/eacmv.c')

diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c
index 1a4e16e15e..6adadb12d1 100644
--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -141,6 +141,12 @@ static int cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t *
     s->width  = AV_RL16(&buf[4]);
     s->height = AV_RL16(&buf[6]);
 
+    if (s->width  != s->avctx->width ||
+        s->height != s->avctx->height) {
+        av_frame_unref(s->last_frame);
+        av_frame_unref(s->last2_frame);
+    }
+
     ret = ff_set_dimensions(s->avctx, s->width, s->height);
     if (ret < 0)
         return ret;
-- 
cgit v1.2.3