[FFmpeg-cvslog] 4xm: do not overread the source buffer in decode_p_block
Luca Barbato
git at videolan.org
Tue Aug 27 16:17:32 CEST 2013
ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Sun Jun 9 18:27:05 2013 +0200| [c7934c6c0b0c6e33a83ed12f6e20dc977a945384] | committer: Reinhard Tartler
4xm: do not overread the source buffer in decode_p_block
Check for out of picture macroblocks before calling mcdc.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 94aefb1932be882fd93f66cf790ceb19ff575c19)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c7934c6c0b0c6e33a83ed12f6e20dc977a945384
---
libavcodec/4xm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index cf9ad72..99e0e2e 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -372,6 +372,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
log2w, log2h, stride)) < 0)
return ret;
} else if (code == 3 && f->version < 2) {
+ if (start > src || src > end) {
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+ return AVERROR_INVALIDDATA;
+ }
mcdc(dst, src, log2w, h, stride, 1, 0);
} else if (code == 4) {
src += f->mv[bytestream2_get_byte(&f->g)];
@@ -381,6 +385,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
}
mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2));
} else if (code == 5) {
+ if (start > src || src > end) {
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+ return AVERROR_INVALIDDATA;
+ }
mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
} else if (code == 6) {
if (log2w) {
More information about the ffmpeg-cvslog
mailing list