[FFmpeg-cvslog] eamad: check for out of bound reads when doing MC

Laurent Aimar git at videolan.org
Fri Nov 4 20:49:21 CET 2011


ffmpeg | branch: release/0.7 | Laurent Aimar <fenrir at videolan.org> | Sat Oct  8 23:40:31 2011 +0200| [79bafbb0dd6af48eae51eb69c472208f97eff11d] | committer: Michael Niedermayer

eamad: check for out of bound reads when doing MC

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit da35797359cec148f3fe59894c62727b0422d75a)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79bafbb0dd6af48eae51eb69c472208f97eff11d
---

 libavcodec/eamad.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
index f5b2535..150bd08 100644
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -85,15 +85,21 @@ static inline void comp_block(MadContext *t, int mb_x, int mb_y,
 {
     MpegEncContext *s = &t->s;
     if (j < 4) {
+        unsigned offset = (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x;
+        if (offset >= (s->height - 7) * t->last_frame.linesize[0] - 7)
+            return;
         comp(t->frame.data[0] + (mb_y*16 + ((j&2)<<2))*t->frame.linesize[0] + mb_x*16 + ((j&1)<<3),
              t->frame.linesize[0],
-             t->last_frame.data[0] + (mb_y*16 + ((j&2)<<2) + mv_y)*t->last_frame.linesize[0] + mb_x*16 + ((j&1)<<3) + mv_x,
+             t->last_frame.data[0] + offset,
              t->last_frame.linesize[0], add);
     } else if (!(s->avctx->flags & CODEC_FLAG_GRAY)) {
         int index = j - 3;
+        unsigned offset = (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2);
+        if (offset >= (s->height/2 - 7) * t->last_frame.linesize[index] - 7)
+            return;
         comp(t->frame.data[index] + (mb_y*8)*t->frame.linesize[index] + mb_x * 8,
              t->frame.linesize[index],
-             t->last_frame.data[index] + (mb_y * 8 + (mv_y/2))*t->last_frame.linesize[index] + mb_x * 8 + (mv_x/2),
+             t->last_frame.data[index] + offset,
              t->last_frame.linesize[index], add);
     }
 }



More information about the ffmpeg-cvslog mailing list