virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

indeo: Bound-check before applying motion compensation

Browse Source 
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Luca Barbato
2013-07-14 14:06:16 +02:00
parent 1dd1b2332e
commit 25a6666f6c
1 changed files with 17 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
libavcodec/ivi_common.c
View File

@@ -44,16 +44,22 @@ static VLC ivi_blk_vlc_tabs[8]; ///< static block Huffman tables
typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf, typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf,
uint32_t pitch, int mc_type); uint32_t pitch, int mc_type);
static int ivi_mc(ivi_mc_func mc, int16_t *buf, const int16_t *ref_buf, static int ivi_mc(IVIBandDesc *band, ivi_mc_func mc,
int offs, int mv_x, int mv_y, uint32_t pitch, int offs, int mv_x, int mv_y, int mc_type)
int mc_type)
{ {
int ref_offs = offs + mv_y * pitch + mv_x; int ref_offs = offs + mv_y * band->pitch + mv_x;
int buf_size = band->pitch * band->aheight;
int min_size = band->pitch * (band->blk_size - 1) + band->blk_size;
int ref_size = (mc_type > 1) * band->pitch + (mc_type & 1);
if (offs < 0 || ref_offs < 0 || !ref_buf) if (offs < 0 || ref_offs < 0 || !band->ref_buf)
return AVERROR_INVALIDDATA;
if (buf_size - min_size < offs)
return AVERROR_INVALIDDATA;
if (buf_size - min_size - ref_size < ref_offs)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
mc(buf + offs, ref_buf + ref_offs, pitch, mc_type); mc(band->buf + offs, band->ref_buf + ref_offs, band->pitch, mc_type);
return 0; return 0;
} }
@@ -513,8 +519,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band,
/* apply motion compensation */ /* apply motion compensation */
if (!is_intra) if (!is_intra)
return ivi_mc(mc, band->buf, band->ref_buf, offs, mv_x, mv_y, return ivi_mc(band, mc, offs, mv_x, mv_y, mc_type);
band->pitch, mc_type);
return 0; return 0;
} }
@@ -617,8 +622,8 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band,
if (ret < 0) if (ret < 0)
return ret; return ret;
} else { } else {
ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, ret = ivi_mc(band, mc_no_delta_func, buf_offs,
buf_offs, mv_x, mv_y, band->pitch, mc_type); mv_x, mv_y, mc_type);
if (ret < 0) if (ret < 0)
return ret; return ret;
} }
@@ -724,8 +729,8 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
for (blk = 0; blk < num_blocks; blk++) { for (blk = 0; blk < num_blocks; blk++) {
/* adjust block position in the buffer according with its number */ /* adjust block position in the buffer according with its number */
offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch); offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch);
ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf, ret = ivi_mc(band, mc_no_delta_func, offs,
offs, mv_x, mv_y, band->pitch, mc_type); mv_x, mv_y, mc_type);
if (ret < 0) if (ret < 0)
return ret; return ret;
} }