[FFmpeg-cvslog] libavcodec/mvha: Check height before applying median predictor

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Feb  9 15:02:45 2020 +0100| [c9c958051cc91604b9427229d648e65e782476d4] | committer: Michael Niedermayer

libavcodec/mvha: Check height before applying median predictor

Fixes: out of array read
Fixes: 20495/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MVHA_fuzzer-5711179129552896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c9c958051cc91604b9427229d648e65e782476d4
---

 libavcodec/mvha.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavcodec/mvha.c b/libavcodec/mvha.c
index afe5e511f2..1ea3bb3d76 100644
--- a/libavcodec/mvha.c
+++ b/libavcodec/mvha.c
@@ -256,12 +256,14 @@ static int decode_frame(AVCodecContext *avctx,
 
         dst = frame->data[p] + (avctx->height - 1) * frame->linesize[p];
         s->llviddsp.add_left_pred(dst, dst, width, 0);
-        dst -= stride;
-        lefttop = left = dst[0];
-        for (int y = 1; y < avctx->height; y++) {
-            s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
-            lefttop = left = dst[0];
+        if (avctx->height > 1) {
             dst -= stride;
+            lefttop = left = dst[0];
+            for (int y = 1; y < avctx->height; y++) {
+                s->llviddsp.add_median_pred(dst, dst + stride, dst, width, &left, &lefttop);
+                lefttop = left = dst[0];
+                dst -= stride;
+            }
         }
     }