From 9c6feb104d61c550fc77e8866705bdffc8de8736 Mon Sep 17 00:00:00 2001 From: Andreas Rheinhardt Date: Sat, 10 Oct 2020 20:11:49 +0200 Subject: [PATCH] avcodec/sheervideo: Don't leave context in inconsistent state upon error This has happened if the format changed midstream and if the new packet is so small that it is instantaneously rejected: In this case the VLC tables were for the new format, although the context says that they are still the ones for the old format. It can also happen if the format changed midstream and the allocation of the new tables fails. If the next packet is a packet for the old format, the decoder thinks it already has the correct VLC tables, leading to a segfault. Signed-off-by: Andreas Rheinhardt (cherry picked from commit 8969b9aa061790a5e87694aab17741cc7647d099) --- libavcodec/sheervideo.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/sheervideo.c b/libavcodec/sheervideo.c index 1a43727a30..d76963a1c7 100644 --- a/libavcodec/sheervideo.c +++ b/libavcodec/sheervideo.c @@ -2036,16 +2036,17 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } - if (avpkt->size < 20 + avctx->width * avctx->height / 16) { - av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); - return AVERROR_INVALIDDATA; - } - if (s->format != format) { - if (ret < 0) + if (ret < 0) { + s->format = 0; return ret; + } s->format = format; } + if (avpkt->size < 20 + avctx->width * avctx->height / 16) { + av_log(avctx, AV_LOG_ERROR, "Input packet too small\n"); + return AVERROR_INVALIDDATA; + } p->pict_type = AV_PICTURE_TYPE_I; p->key_frame = 1;