mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
eatgv: fix out of bound reads on corrupted motions vectors.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
74b9c59839
commit
09302a897d
@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
|
|||||||
* @return 0 on success, -1 on critical buffer underflow
|
* @return 0 on success, -1 on critical buffer underflow
|
||||||
*/
|
*/
|
||||||
static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
|
static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
|
||||||
unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0];
|
unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0];
|
||||||
int num_mvs;
|
int num_mvs;
|
||||||
int num_blocks_raw;
|
int num_blocks_raw;
|
||||||
int num_blocks_packed;
|
int num_blocks_packed;
|
||||||
@ -211,7 +211,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
|
|||||||
(y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
|
(y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
|
||||||
x*4 + s->mv_codebook[vector][0];
|
x*4 + s->mv_codebook[vector][0];
|
||||||
src_stride = s->last_frame.linesize[0];
|
src_stride = s->last_frame.linesize[0];
|
||||||
if (src+3*src_stride+3>=frame0_end)
|
if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end)
|
||||||
continue;
|
continue;
|
||||||
}else{
|
}else{
|
||||||
int offset = vector - num_mvs;
|
int offset = vector - num_mvs;
|
||||||
|
Loading…
Reference in New Issue
Block a user