# HG changeset patch
# User heydowns
# Date 1197613523 0
# Node ID 9d1654835629a450ba5e8b589616717f2e3906e9
# Parent  e1404acccac305bb4ff37392a04ae4f315309bf7
Ensure that our total reference frame count does not exceed the SPS
max frame count, which is limited to less than the size of the
reference buffers, thereby preventing overflow.
Part of fix for issue 281.

diff -r e1404acccac3 -r 9d1654835629 h264.c
--- a/h264.c	Fri Dec 14 05:48:27 2007 +0000
+++ b/h264.c	Fri Dec 14 06:25:23 2007 +0000
@@ -3612,6 +3612,29 @@
         s->current_picture_ptr->reference |= s->picture_structure;
     }
 
+    if (h->sps.ref_frame_count &&
+            h->long_ref_count + h->short_ref_count == h->sps.ref_frame_count){
+
+        /* We have too many reference frames, probably due to corrupted
+         * stream. Need to discard one frame. Prevents overrun of the
+         * short_ref and long_ref buffers.
+         */
+        av_log(h->s.avctx, AV_LOG_ERROR,
+               "number of reference frames exceeds max (probably "
+               "corrupt input), discarding one\n");
+
+        if (h->long_ref_count) {
+            for (i = 0; i < 16; ++i)
+                if (h->long_ref[i])
+                    break;
+
+            assert(i < 16);
+            remove_long_at_index(h, i);
+        } else {
+            remove_short_at_index(h, h->short_ref_count - 1);
+        }
+    }
+
     print_short_term(h);
     print_long_term(h);
     return 0;