From bbc3425fa25ef0ff830f6bb4a290d32ee7ad79f4 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Fri, 7 Feb 2014 20:14:38 -0500
Subject: [PATCH] vp9: fix mix-up of last-frame/cur-frame in frame size checks.

Fixes invalid reads in fuzzed7.ivf.
---
 libavcodec/vp9.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 6d87b5765b..3545b32360 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -525,8 +525,11 @@ static int decode_frame_header(AVCodecContext *ctx,
                 w = get_bits(&s->gb, 16) + 1;
                 h = get_bits(&s->gb, 16) + 1;
             }
-            s->use_last_frame_mvs &= s->frames[LAST_FRAME].tf.f->width == w &&
-                                     s->frames[LAST_FRAME].tf.f->height == h;
+            // Note that in this code, "CUR_FRAME" is actually before we
+            // have formally allocated a frame, and thus actually represents
+            // the _last_ frame
+            s->use_last_frame_mvs &= s->frames[CUR_FRAME].tf.f->width == w &&
+                                     s->frames[CUR_FRAME].tf.f->height == h;
             if (get_bits1(&s->gb)) // display size
                 skip_bits(&s->gb, 32);
             s->highprecisionmvs = get_bits1(&s->gb);