From c7e631986b4a326a71a20a1a51000f3fbf6e64e7 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Tue, 27 Sep 2011 22:15:31 +0000
Subject: bink: Prevent NULL dereferences with missing reference frame

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
---
 libavcodec/bink.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'libavcodec/bink.c')

diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index 17683730d4..e4fdf4c93e 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -950,8 +950,9 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
     for (i = 0; i < BINK_NB_SRC; i++)
         read_bundle(gb, c, i);
 
-    ref_start = c->last.data[plane_idx];
-    ref_end   = c->last.data[plane_idx]
+    ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx]
+                                        : c->pic.data[plane_idx];
+    ref_end   = ref_start
                 + (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8;
 
     for (i = 0; i < 64; i++)
@@ -980,7 +981,8 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
         if (by == bh)
             break;
         dst  = c->pic.data[plane_idx]  + 8*by*stride;
-        prev = c->last.data[plane_idx] + 8*by*stride;
+        prev = (c->last.data[plane_idx] ? c->last.data[plane_idx]
+                                        : c->pic.data[plane_idx]) + 8*by*stride;
         for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) {
             blk = get_value(c, BINK_SRC_BLOCK_TYPES);
             // 16x16 block type on odd line means part of the already decoded block, so skip it
-- 
cgit v1.2.3