[FFmpeg-cvslog] 4xm: do not overread the source buffer in decode_p_block

Luca Barbato git at videolan.org
Tue Aug 27 16:17:32 CEST 2013


ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Sun Jun  9 18:27:05 2013 +0200| [c7934c6c0b0c6e33a83ed12f6e20dc977a945384] | committer: Reinhard Tartler

4xm: do not overread the source buffer in decode_p_block

Check for out of picture macroblocks before calling mcdc.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 94aefb1932be882fd93f66cf790ceb19ff575c19)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c7934c6c0b0c6e33a83ed12f6e20dc977a945384
---

 libavcodec/4xm.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index cf9ad72..99e0e2e 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -372,6 +372,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
                                   log2w, log2h, stride)) < 0)
             return ret;
     } else if (code == 3 && f->version < 2) {
+        if (start > src || src > end) {
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return AVERROR_INVALIDDATA;
+        }
         mcdc(dst, src, log2w, h, stride, 1, 0);
     } else if (code == 4) {
         src += f->mv[bytestream2_get_byte(&f->g)];
@@ -381,6 +385,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
         }
         mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2));
     } else if (code == 5) {
+        if (start > src || src > end) {
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return AVERROR_INVALIDDATA;
+        }
         mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
     } else if (code == 6) {
         if (log2w) {



More information about the ffmpeg-cvslog mailing list