From 3b57bb478ff4455773378355e285877d757e151e Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 7 Jan 2013 23:42:35 +0100
Subject: svq1dec: check that the reference frame matches in size before using
 it.

Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/svq1dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavcodec')

diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index 187522c3bf..573568374a 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -692,7 +692,7 @@ static int svq1_decode_frame(AVCodecContext *avctx, void *data,
         } else {
             /* delta frame */
             uint8_t *previous = s->prev->data[i];
-            if (!previous) {
+            if (!previous || s->prev->width != s->cur->width || s->prev->height != s->cur->height) {
                 av_log(avctx, AV_LOG_ERROR, "Missing reference frame.\n");
                 result = AVERROR_INVALIDDATA;
                 goto err;
-- 
cgit v1.2.3