From 64819bfc7a1f622eab88c8962e02c9e2941bb42d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 4 May 2013 01:11:08 +0200 Subject: [PATCH] snow: Fix off by 1 error in reference picture management Fixes out of array accesses No release is affected by this bug Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/snow.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 9f6399c78a..5362ae4d5e 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -618,7 +618,7 @@ int ff_snow_frame_start(SnowContext *s){ av_frame_move_ref(&tmp, &s->last_picture[s->max_ref_frames-1]); for(i=s->max_ref_frames-1; i>0; i--) - av_frame_move_ref(&s->last_picture[i+1], &s->last_picture[i]); + av_frame_move_ref(&s->last_picture[i], &s->last_picture[i-1]); memmove(s->halfpel_plane+1, s->halfpel_plane, (s->max_ref_frames-1)*sizeof(void*)*4*4); if(USE_HALFPEL_PLANE && s->current_picture.data[0]) halfpel_interpol(s, s->halfpel_plane[0], &s->current_picture);