[FFmpeg-cvslog] eatgv: fix out of bound reads on corrupted motions vectors.

Laurent Aimar git at videolan.org
Fri Nov 4 13:22:16 CET 2011


ffmpeg | branch: release/0.8 | Laurent Aimar <fenrir at videolan.org> | Sat Oct  8 23:40:27 2011 +0200| [44740513709cb326667fc8b7d24abb6e16aacee6] | committer: Michael Niedermayer

eatgv: fix out of bound reads on corrupted motions vectors.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 09302a897d1990b1338f049fcd29638d736b8823)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=44740513709cb326667fc8b7d24abb6e16aacee6
---

 libavcodec/eatgv.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c
index 0855f10..f50a308 100644
--- a/libavcodec/eatgv.c
+++ b/libavcodec/eatgv.c
@@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
  * @return 0 on success, -1 on critical buffer underflow
  */
 static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
-    unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0];
+    unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0];
     int num_mvs;
     int num_blocks_raw;
     int num_blocks_packed;
@@ -211,7 +211,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
                   (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
                    x*4 + s->mv_codebook[vector][0];
             src_stride = s->last_frame.linesize[0];
-            if (src+3*src_stride+3>=frame0_end)
+            if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end)
                 continue;
         }else{
             int offset = vector - num_mvs;



More information about the ffmpeg-cvslog mailing list