From 8435bca087c0e79385763c51de009fd89390b6a5 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Fri, 12 Jul 2013 14:32:03 +0200
Subject: indeo4: Do not access missing reference MV

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/indeo4.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

(limited to 'libavcodec/indeo4.c')

diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index 75714350a4..e5800741a1 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -459,7 +459,7 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
                 }
 
                 mb->mv_x = mb->mv_y = 0; /* no motion vector coded */
-                if (band->inherit_mv) {
+                if (band->inherit_mv && ref_mb) {
                     /* motion vector inheritance */
                     if (mv_scale) {
                         mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale);
@@ -471,7 +471,10 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
                 }
             } else {
                 if (band->inherit_mv) {
-                    mb->type = ref_mb->type; /* copy mb_type from corresponding reference mb */
+                    /* copy mb_type from corresponding reference mb */
+                    if (!ref_mb)
+                        return AVERROR_INVALIDDATA;
+                    mb->type = ref_mb->type;
                 } else if (ctx->frame_type == FRAMETYPE_INTRA ||
                            ctx->frame_type == FRAMETYPE_INTRA1) {
                     mb->type = 0; /* mb_type is always INTRA for intra-frames */
@@ -495,14 +498,15 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band,
                     mb->mv_x = mb->mv_y = 0; /* there is no motion vector in intra-macroblocks */
                 } else {
                     if (band->inherit_mv) {
-                        /* motion vector inheritance */
-                        if (mv_scale) {
-                            mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale);
-                            mb->mv_y = ivi_scale_mv(ref_mb->mv_y, mv_scale);
-                        } else {
-                            mb->mv_x = ref_mb->mv_x;
-                            mb->mv_y = ref_mb->mv_y;
-                        }
+                        if (ref_mb)
+                            /* motion vector inheritance */
+                            if (mv_scale) {
+                                mb->mv_x = ivi_scale_mv(ref_mb->mv_x, mv_scale);
+                                mb->mv_y = ivi_scale_mv(ref_mb->mv_y, mv_scale);
+                            } else {
+                                mb->mv_x = ref_mb->mv_x;
+                                mb->mv_y = ref_mb->mv_y;
+                            }
                     } else {
                         /* decode motion vector deltas */
                         mv_delta = get_vlc2(&ctx->gb, ctx->mb_vlc.tab->table,
-- 
cgit v1.2.3