avcodec/svq3: Reintroduce slice_type

Fixes out of array read
Fixes: 1642cd3962249d6aaf0eec2836023fb6/signal_sigsegv_2557a72_2995_04efaf2ff57a052f609a3b4a2ea4e622.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 653a6dba0730142da2c72fa1f30df2bfb0b5a1b0..5aedc1e657761bc94ecae803dc652bd1e2251352 100644 (file)
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -115,6 +115,7 @@ typedef struct SVQ3Context {
     int prev_frame_num;
 
     enum AVPictureType pict_type;
+    enum AVPictureType slice_type;
     int low_delay;
 
     int mb_x, mb_y;
@@ -1070,7 +1071,7 @@ static int svq3_decode_slice_header(AVCodecContext *avctx)
         return -1;
     }
 
-    s->pict_type = ff_h264_golomb_to_pict_type[slice_id];
+    s->slice_type = ff_h264_golomb_to_pict_type[slice_id];
 
     if ((header & 0x9F) == 2) {
         i = (s->mb_num < 64) ? 6 : (1 + av_log2(s->mb_num - 1));
@@ -1439,6 +1440,8 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data,
     if (svq3_decode_slice_header(avctx))
         return -1;
 
+    s->pict_type = s->slice_type;
+
     if (s->pict_type != AV_PICTURE_TYPE_B)
         FFSWAP(SVQ3Frame*, s->next_pic, s->last_pic);
 
@@ -1552,6 +1555,9 @@ static int svq3_decode_frame(AVCodecContext *avctx, void *data,
                     if (svq3_decode_slice_header(avctx))
                         return -1;
                 }
+                if (s->slice_type != s->pict_type) {
+                    avpriv_request_sample(avctx, "non constant slice type\n");
+                }
                 /* TODO: support s->mb_skip_run */
             }