Fixes: out of array access
Fixes: 16601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5656105392275456
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 413e0f2516eef678011cffd1ec6f0d92aa8bb96a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
... | ... |
@@ -197,9 +197,10 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, |
197 | 197 |
return n; |
198 | 198 |
} |
199 | 199 |
if (v->s.pict_type != AV_PICTURE_TYPE_B) |
200 |
- refdist = FFMIN(v->refdist, 3); |
|
200 |
+ refdist = v->refdist; |
|
201 | 201 |
else |
202 | 202 |
refdist = dir ? v->brfd : v->frfd; |
203 |
+ refdist = FFMIN(refdist, 3); |
|
203 | 204 |
scaleopp = ff_vc1_field_mvpred_scales[dir ^ v->second_field][0][refdist]; |
204 | 205 |
|
205 | 206 |
n = (n * scaleopp >> 8) * (1 << hpel); |