From febc862b53c090e530b943ebd873747addf5f913 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 2 Jul 2016 03:06:27 +0200
Subject: avcodec/h264_parser: Set sps/pps_ref

Fixes use of freed memory
Should fix valgrind failures of fate-h264-skip-nointra

Found-by: logan
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/h264_parser.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c
index 7af2a8dddc..ce46c58dda 100644
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -367,13 +367,26 @@ static inline int parse_nal_units(AVCodecParserContext *s,
                        "non-existing PPS %u referenced\n", pps_id);
                 goto fail;
             }
-            p->ps.pps = (const PPS*)p->ps.pps_list[pps_id]->data;
+
+            av_buffer_unref(&p->ps.pps_ref);
+            av_buffer_unref(&p->ps.sps_ref);
+            p->ps.pps = NULL;
+            p->ps.sps = NULL;
+            p->ps.pps_ref = av_buffer_ref(p->ps.pps_list[pps_id]);
+            if (!p->ps.pps_ref)
+                goto fail;
+            p->ps.pps = (const PPS*)p->ps.pps_ref->data;
+
             if (!p->ps.sps_list[p->ps.pps->sps_id]) {
                 av_log(avctx, AV_LOG_ERROR,
                        "non-existing SPS %u referenced\n", p->ps.pps->sps_id);
                 goto fail;
             }
-            p->ps.sps = (const SPS*)p->ps.sps_list[p->ps.pps->sps_id]->data;
+
+            p->ps.sps_ref = av_buffer_ref(p->ps.sps_list[p->ps.pps->sps_id]);
+            if (!p->ps.sps_ref)
+                goto fail;
+            p->ps.sps = (const SPS*)p->ps.sps_ref->data;
 
             sps = p->ps.sps;
 
-- 
cgit v1.2.3