From 2d3099ad8ee67a4612633ea02c7fce10e5537579 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 8 Sep 2016 21:15:55 +0200 Subject: [PATCH] avcodec/svq3: Reintroduce slice_type Fixes out of array read Fixes: 1642cd3962249d6aaf0eec2836023fb6/signal_sigsegv_2557a72_2995_04efaf2ff57a052f609a3b4a2ea4e622.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 653a6dba07..5aedc1e657 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -115,6 +115,7 @@ typedef struct SVQ3Context { int prev_frame_num; enum AVPictureType pict_type; + enum AVPictureType slice_type; int low_delay; int mb_x, mb_y; @@ -1070,7 +1071,7 @@ static int svq3_decode_slice_header(AVCodecContext *avctx) return -1; } - s->pict_type = ff_h264_golomb_to_pict_type[slice_id]; + s->slice_type = ff_h264_golomb_to_pict_type[slice_id]; if ((header & 0x9F) == 2) { i = (s->mb_num < 64) ? 6 : (1 + av_log2(s->mb_num - 1)); @@ -1439,6 +1440,8 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; + s->pict_type = s->slice_type; + if (s->pict_type != AV_PICTURE_TYPE_B) FFSWAP(SVQ3Frame*, s->next_pic, s->last_pic); @@ -1552,6 +1555,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data, if (svq3_decode_slice_header(avctx)) return -1; } + if (s->slice_type != s->pict_type) { + avpriv_request_sample(avctx, "non constant slice type\n"); + } /* TODO: support s->mb_skip_run */ }