avcodec/h263dec: Check against previous dimensions instead of coded

michaelni · michaelni · commit c74740fcd543 · 2025-02-26T01:26:30.000+01:00
Fixes: out of array access Fixes: crash-a41ef3db699013f669b076f02f36942925f5a98c Found-by: Kacper Michajlow <kasper93@gmail.com> Reviewed-by: Kacper Michajlow <kasper93@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 0fe33c9) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
@@ -431,6 +431,7 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVFrame *pict,
     MpegEncContext *s  = avctx->priv_data;
     int ret;
     int slice_ret = 0;
+    int bak_width, bak_height;
 
     /* no supplementary picture */
     if (buf_size == 0) {
@@ -482,6 +483,9 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVFrame *pict,
     if (ret < 0)
         return ret;
 
+    bak_width  = s->width;
+    bak_height = s->height;
+
     /* let's go :-) */
     if (CONFIG_WMV2_DECODER && s->msmpeg4_version == MSMP4_WMV2) {
         ret = ff_wmv2_decode_picture_header(s);
@@ -501,11 +505,12 @@ int ff_h263_decode_frame(AVCodecContext *avctx, AVFrame *pict,
     }
 
     if (ret < 0 || ret == FRAME_SKIPPED) {
-        if (   s->width  != avctx->coded_width
-            || s->height != avctx->coded_height) {
+        if (   s->width  != bak_width
+            || s->height != bak_height) {
                 av_log(s->avctx, AV_LOG_WARNING, "Reverting picture dimensions change due to header decoding failure\n");
-                s->width = avctx->coded_width;
-                s->height= avctx->coded_height;
+                s->width = bak_width;
+                s->height= bak_height;
+
         }
     }
     if (ret == FRAME_SKIPPED)
