virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00
Code Issues Releases Activity

indeo4: check motion vetors.

Browse Source 
Fixes out of heap array read.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-03-22 22:44:54 +01:00
parent afc0cc22e1
commit 9759d2b886
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libavcodec/indeo4.c
View File

@ -462,7 +462,7 @@ static int decode_mb_info(IVI4DecContext *ctx, IVIBandDesc *band,
IVITile *tile, AVCodecContext *avctx) IVITile *tile, AVCodecContext *avctx)
{ {
int x, y, mv_x, mv_y, mv_delta, offs, mb_offset, blks_per_mb, int x, y, mv_x, mv_y, mv_delta, offs, mb_offset, blks_per_mb,
mv_scale, mb_type_bits; mv_scale, mb_type_bits, s;
IVIMbInfo *mb, *ref_mb; IVIMbInfo *mb, *ref_mb;
int row_offset = band->mb_size * band->pitch; int row_offset = band->mb_size * band->pitch;
@ -558,6 +558,15 @@ static int decode_mb_info(IVI4DecContext *ctx, IVIBandDesc *band,
} }
} }
s= band->is_halfpel;
if (mb->type)
if ( x + (mv_x >>s) + (y+ (mv_y >>s))*band->pitch < 0 ||
x + ((mv_x+s)>>s) + band->mb_size - 1
+ (y+band->mb_size - 1 +((mv_y+s)>>s))*band->pitch > band->height*band->pitch -1) {
av_log(avctx, AV_LOG_ERROR, "motion vector %d %d outside reference\n", x*s + mv_x, y*s + mv_y);
return AVERROR_INVALIDDATA;
}
mb++; mb++;
if (ref_mb) if (ref_mb)
ref_mb++; ref_mb++;