h264: prevent two matching fields from being both a short/long ref combination

Fixes possible access to freed memory. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
author: Anton Khirnov <anton@khirnov.net> 2013-11-28 10:54:35 +0100
committer: Anton Khirnov <anton@khirnov.net> 2014-01-18 20:42:39 +0100
commit: 98cc9efc5f6b4dc847ed3b9b60b1c3bcd14e6791 (patch)
tree: 01d7c5c2bb4e86a72f6c8cbb0a1004e54c8bc62c /libavcodec/h264_refs.c
parent: 00dbff4c3e048b4abd01bf805725aabff0fa5ee1 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index bba77d15b0..88aaac7e1b 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -621,6 +621,8 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
                      * Report the problem and keep the pair where it is,
                      * and mark this field valid.
                      */
+            if (h->short_ref[0] == h->cur_pic_ptr)
+                remove_short_at_index(h, 0);
 
             if (h->long_ref[mmco[i].long_arg] != h->cur_pic_ptr) {
                 remove_long(h, mmco[i].long_arg, 0);
author	Anton Khirnov <anton@khirnov.net>	2013-11-28 10:54:35 +0100
committer	Anton Khirnov <anton@khirnov.net>	2014-01-18 20:42:39 +0100
commit	98cc9efc5f6b4dc847ed3b9b60b1c3bcd14e6791 (patch)
tree	01d7c5c2bb4e86a72f6c8cbb0a1004e54c8bc62c /libavcodec/h264_refs.c
parent	00dbff4c3e048b4abd01bf805725aabff0fa5ee1 (diff)