From c855ece101cd960ddd20eabd5f295e0b02b71dcc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 26 Mar 2012 02:24:36 +0200 Subject: [PATCH] indeo5: check motion vectors. fixes out of frame reading Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/indeo5.c | 11 ++++++++++- libavcodec/ivi_common.c | 1 + 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 2bacfa2885..52be725721 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -450,7 +450,7 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, IVITile *tile, AVCodecContext *avctx) { int x, y, mv_x, mv_y, mv_delta, offs, mb_offset, - mv_scale, blks_per_mb; + mv_scale, blks_per_mb, s; IVIMbInfo *mb, *ref_mb; int row_offset = band->mb_size * band->pitch; @@ -550,6 +550,15 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, } } + s= band->is_halfpel; + if (mb->type) + if ( x + (mb->mv_x >>s) + (y+ (mb->mv_y >>s))*band->pitch < 0 || + x + ((mb->mv_x+s)>>s) + band->mb_size - 1 + + (y+band->mb_size - 1 +((mb->mv_y+s)>>s))*band->pitch > band->bufsize - 1) { + av_log(avctx, AV_LOG_ERROR, "motion vector %d %d outside reference\n", x*s + mb->mv_x, y*s + mb->mv_y); + return AVERROR_INVALIDDATA; + } + mb++; if (ref_mb) ref_mb++; diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index c593ee942f..1e55721c40 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -209,6 +209,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->pitch = width_aligned; band->bufs[0] = av_malloc(buf_size); band->bufs[1] = av_malloc(buf_size); + band->bufsize = buf_size/2; if (!band->bufs[0] || !band->bufs[1]) return AVERROR(ENOMEM);