From 9c208b404cbd56ee4e217aa20e7e09ebfa21cfd5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 3 Dec 2012 01:26:23 +0100
Subject: [PATCH] vp56: Ignore reconfiguration from the alpha plane.

Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/vp56.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 3002fc1572..ae7a1172e1 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -547,6 +547,10 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     }
 
     if (s->has_alpha) {
+        int bak_w = avctx->width;
+        int bak_h = avctx->height;
+        int bak_cw = avctx->coded_width;
+        int bak_ch = avctx->coded_height;
         buf += alpha_offset;
         remaining_buf_size -= alpha_offset;
 
@@ -554,14 +558,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
         if (res != 1) {
             if(res==2) {
                 av_log(avctx, AV_LOG_ERROR, "Alpha reconfiguration\n");
-                for (i = 0; i < 4; i++) {
-                    if (s->frames[i].data[0])
-                        avctx->release_buffer(avctx, &s->frames[i]);
-                    av_assert0(!s->alpha_context->frames[i].data[0]);
-                }
-                vp56_size_changed(s);
-            }else
-                avctx->release_buffer(avctx, p);
+                avctx->width  = bak_w;
+                avctx->height = bak_h;
+                avctx->coded_width  = bak_cw;
+                avctx->coded_height = bak_ch;
+            }
+            avctx->release_buffer(avctx, p);
             return -1;
         }
     }