avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 30 Jun 2015 17:37:12 +0000 (19:37 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 20 Jul 2015 02:43:41 +0000 (04:43 +0200)
Fixes out of array access
Fixes: asan_heap-oob_4d5bb0_682_cov_3124593265_Fraunhofer__a_driving_force_in_innovation__small.mp4

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 330863c9f19a23c500ba7901a23f1cc377b353bb)

Conflicts:

libavcodec/h264_slice.c

libavcodec/h264_slice.c

index 6f6c2f1..15700a8 100644 (file)
@@ -1678,8 +1678,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0)
                                   (const uint8_t **)prev->f.data,
                                   prev->f.linesize,
                                   prev->f.format,
-                                  h->mb_width  * 16,
-                                  h->mb_height * 16);
+                                  prev->f.width,
+                                  prev->f.height);
                     h->short_ref[0]->poc = prev->poc + 2;
                 }
                 h->short_ref[0]->frame_num = h->prev_frame_num;