From 7117547298b13d6f52a20d6a62a27dc0a1c3e263 Mon Sep 17 00:00:00 2001
From: Christophe Gisquet <christophe.gisquet@gmail.com>
Date: Sun, 10 Aug 2014 11:43:12 +0200
Subject: [PATCH] hevc: fix incorrect sao buffer size

It previously used the output, cropped size, causing overreads/writes.

Fixes ticket #3839.

This issue was introduced by d249e682, which is not part of any release

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/hevc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 1972a5b19a..3272485486 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -280,16 +280,16 @@ static int get_buffer_sao(HEVCContext *s, AVFrame *frame, const HEVCSPS *sps)
 {
     int ret, i;
 
-    frame->width  = s->avctx->width  + 2;
-    frame->height = s->avctx->height + 2;
+    frame->width  = s->avctx->coded_width  + 2;
+    frame->height = s->avctx->coded_height + 2;
     if ((ret = ff_get_buffer(s->avctx, frame, AV_GET_BUFFER_FLAG_REF)) < 0)
         return ret;
     for (i = 0; frame->data[i]; i++) {
         int offset = frame->linesize[i] + (1 << sps->pixel_shift);
         frame->data[i] += offset;
     }
-    frame->width  = s->avctx->width;
-    frame->height = s->avctx->height;
+    frame->width  = s->avctx->coded_width;
+    frame->height = s->avctx->coded_height;
 
     return 0;
 }