From 11142fb83bb8ca88c4bb80bd110a1dfdc23d978a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 30 Jun 2015 19:37:12 +0200 Subject: [PATCH] avcodec/h264_slice: Use w/h from the AVFrame instead of mb_w/h Fixes out of array access Fixes: asan_heap-oob_4d5bb0_682_cov_3124593265_Fraunhofer__a_driving_force_in_innovation__small.mp4 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 330863c9f19a23c500ba7901a23f1cc377b353bb) Conflicts: libavcodec/h264_slice.c --- libavcodec/h264_slice.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 6f6c2f16c5..15700a8e67 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1678,8 +1678,8 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0) (const uint8_t **)prev->f.data, prev->f.linesize, prev->f.format, - h->mb_width * 16, - h->mb_height * 16); + prev->f.width, + prev->f.height); h->short_ref[0]->poc = prev->poc + 2; } h->short_ref[0]->frame_num = h->prev_frame_num;