h264: make sure the current picture is not made a long ref multiple times

Fixes possible invalid reads, once one of those refs is freed, but the
others remain.
CC: libav-stable@libav.org

diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index 2ddbdb705296124411e7f6a478d9b01b6c5f163f..adc221394456cdd5bb8224d402328c69810c62cb 100644 (file)
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -640,6 +640,15 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
             if (h->short_ref[0] == h->cur_pic_ptr)
                 remove_short_at_index(h, 0);
 
+            /* make sure the current picture is not already assigned as a long ref */
+            if (h->cur_pic_ptr->long_ref) {
+                for (j = 0; j < FF_ARRAY_ELEMS(h->long_ref); j++) {
+                    if (h->long_ref[j] == h->cur_pic_ptr)
+                        remove_long(h, j, 0);
+                }
+            }
+
+
             if (h->long_ref[mmco[i].long_arg] != h->cur_pic_ptr) {
                 remove_long(h, mmco[i].long_arg, 0);