avcodec/g2meet: fix stride calculation, use correct format field

Fixes out of array accesses
Fixes: asan_heap-oob_ae5f63_5415_g2m4.wmv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 83f7bd6dcf00875725c5f3b7e1bedac5a6b3c77d)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index 1667149..b342ae7 100644 (file)
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -490,7 +490,7 @@ static int g2m_load_cursor(AVCodecContext *avctx, G2MContext *c,
     cursor_hot_y  = bytestream2_get_byte(gb);
     cursor_fmt    = bytestream2_get_byte(gb);
 
-    cursor_stride = FFALIGN(cursor_w, c->cursor_fmt==1 ? 32 : 1) * 4;
+    cursor_stride = FFALIGN(cursor_w, cursor_fmt==1 ? 32 : 1) * 4;
 
     if (cursor_w < 1 || cursor_w > 256 ||
         cursor_h < 1 || cursor_h > 256) {