avcodec/h264_slice: Do not attempt to render into frames already output

Fixes: null pointer dereference Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112 This testcase does not reproduce the issue before 03b82b3a Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 476665d4) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/h264_slice: Do not attempt to render into frames already output
Fixes: null pointer dereference Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112 This testcase does not reproduce the issue before 03b82b3a Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 476665d4) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
761362ff · Michael Niedermayer · 0abf465d · 761362ff
Commit 761362ff authored Jan 03, 2018 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

h264_slice.c libavcodec/h264_slice.c +6 -0

No files found.
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1634,6 +1634,12 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl)
                h->missing_fields ++;
                h->cur_pic_ptr = NULL;
                h->first_field = FIELD_PICTURE(h);
+            } else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) {
+                /* This frame was already output, we cannot draw into it
+                 * anymore.
+                 */
+                h->first_field = 1;
+                h->cur_pic_ptr = NULL;
            } else {
                h->missing_fields = 0;
                if (h->cur_pic_ptr->frame_num != h->frame_num) {