[FFmpeg-devel] [PATCH] H264: fix crash when ref list is emptied

Wed Sep 5 18:24:25 CEST 2007

The attached patch avoids a crash when H264 MMC operation causes the short 
term reference list to be emptied.  Currently, removing a short reference 
when it is the only entry in the list will cause a call to memmove with 
a negative/huge size.

 	-Jeff
-------------- next part --------------
Index: libavcodec/h264.c
===================================================================

--- libavcodec/h264.c	(revision 10291)
+++ libavcodec/h264.c	(working copy)
@@ -3874,8 +3874,8 @@
             av_log(h->s.avctx, AV_LOG_DEBUG, "%d %d %p\n", i, pic->frame_num, pic);
         if(pic->frame_num == frame_num){
             h->short_ref[i]= NULL;
-            memmove(&h->short_ref[i], &h->short_ref[i+1], (h->short_ref_count - i - 1)*sizeof(Picture*));
-            h->short_ref_count--;
+            if (--h->short_ref_count)
+                memmove(&h->short_ref[i], &h->short_ref[i+1], (h->short_ref_count - i)*sizeof(Picture*));
             return pic;
         }
     }

