[FFmpeg-cvslog] vc1dec: Fix global array overread.

Michael Niedermayer git at videolan.org
Wed Mar 28 15:22:49 CEST 2012


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Wed Mar 28 10:44:43 2012 +0200| [a60a4d704149ab51bd27b63ae763c1d26d075013] | committer: Michael Niedermayer

vc1dec: Fix global array overread.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a60a4d704149ab51bd27b63ae763c1d26d075013
---

 libavcodec/vc1dec.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index d538c74..d2923b9 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -1049,8 +1049,8 @@ static void vc1_mc_4mv_chroma4(VC1Context *v)
             mquant = v->altpq;                                 \
         if ((edges&8) && s->mb_y == (s->mb_height - 1))        \
             mquant = v->altpq;                                 \
-        if (!mquant) {                                 \
-            av_log(v->s.avctx,AV_LOG_ERROR, "zero mquant\n");   \
+        if (!mquant || mquant > 31) {                          \
+            av_log(v->s.avctx, AV_LOG_ERROR, "invalid mquant %d\n", mquant);   \
             mquant = 1;                                \
         }                                              \
     }



More information about the ffmpeg-cvslog mailing list