From 6ef57f4d9a0920c82237facb0d1f3856b17da9dc Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 7 Feb 2014 04:32:28 +0100
Subject: [PATCH] avcodec/hevc: hls_decode_entry: check that the previous slice
 segment is available before decoding the next

Fixes use of uninitialized memory
Fixes out of array read
Fixes assertion failure
Fixes part of cb307d24befbd109c6f054008d6777b5/asan_static-oob_124a175_1445_cov_2355279992_DBLK_D_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/hevc.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 6fcd548016..13d4903487 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -1916,6 +1916,14 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
         return AVERROR_INVALIDDATA;
     }
 
+    if (s->sh.dependent_slice_segment_flag) {
+        int prev_rs = s->pps->ctb_addr_ts_to_rs[ctb_addr_ts - 1];
+        if (s->tab_slice_address[prev_rs] == -1) {
+            av_log(s->avctx, AV_LOG_ERROR, "Previous slice segment missing\n");
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
     while (more_data && ctb_addr_ts < s->sps->ctb_size) {
         int ctb_addr_rs = s->pps->ctb_addr_ts_to_rs[ctb_addr_ts];