[FFmpeg-cvslog] indeo: Bound-check before applying motion compensation

Luca Barbato git at videolan.org
Mon Jul 15 13:17:20 CEST 2013


ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Sun Jul 14 14:06:16 2013 +0200| [25a6666f6c07c6ac8449a63d7fbce0dfd29c54cd] | committer: Luca Barbato

indeo: Bound-check before applying motion compensation

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=25a6666f6c07c6ac8449a63d7fbce0dfd29c54cd
---

 libavcodec/ivi_common.c |   29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 0dbed97..1aa47fc 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -44,16 +44,22 @@ static VLC ivi_blk_vlc_tabs[8]; ///< static block Huffman tables
 typedef void (*ivi_mc_func) (int16_t *buf, const int16_t *ref_buf,
                              uint32_t pitch, int mc_type);
 
-static int ivi_mc(ivi_mc_func mc, int16_t *buf, const int16_t *ref_buf,
-                  int offs, int mv_x, int mv_y, uint32_t pitch,
-                  int mc_type)
+static int ivi_mc(IVIBandDesc *band, ivi_mc_func mc,
+                  int offs, int mv_x, int mv_y, int mc_type)
 {
-    int ref_offs = offs + mv_y * pitch + mv_x;
+    int ref_offs = offs + mv_y * band->pitch + mv_x;
+    int buf_size = band->pitch * band->aheight;
+    int min_size = band->pitch * (band->blk_size - 1) + band->blk_size;
+    int ref_size = (mc_type > 1) * band->pitch + (mc_type & 1);
 
-    if (offs < 0 || ref_offs < 0 || !ref_buf)
+    if (offs < 0 || ref_offs < 0 || !band->ref_buf)
+        return AVERROR_INVALIDDATA;
+    if (buf_size - min_size < offs)
+        return AVERROR_INVALIDDATA;
+    if (buf_size - min_size - ref_size < ref_offs)
         return AVERROR_INVALIDDATA;
 
-    mc(buf + offs, ref_buf + ref_offs, pitch, mc_type);
+    mc(band->buf + offs, band->ref_buf + ref_offs, band->pitch, mc_type);
 
     return 0;
 }
@@ -513,8 +519,7 @@ static int ivi_decode_coded_blocks(GetBitContext *gb, IVIBandDesc *band,
 
     /* apply motion compensation */
     if (!is_intra)
-        return ivi_mc(mc, band->buf, band->ref_buf, offs, mv_x, mv_y,
-                      band->pitch, mc_type);
+        return ivi_mc(band, mc, offs, mv_x, mv_y, mc_type);
 
     return 0;
 }
@@ -617,8 +622,8 @@ static int ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band,
                     if (ret < 0)
                         return ret;
                 } else {
-                    ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf,
-                                 buf_offs, mv_x, mv_y, band->pitch, mc_type);
+                    ret = ivi_mc(band, mc_no_delta_func, buf_offs,
+                                 mv_x, mv_y, mc_type);
                     if (ret < 0)
                         return ret;
                 }
@@ -724,8 +729,8 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
             for (blk = 0; blk < num_blocks; blk++) {
                 /* adjust block position in the buffer according with its number */
                 offs = mb->buf_offs + band->blk_size * ((blk & 1) + !!(blk & 2) * band->pitch);
-                ret = ivi_mc(mc_no_delta_func, band->buf, band->ref_buf,
-                             offs, mv_x, mv_y, band->pitch, mc_type);
+                ret = ivi_mc(band, mc_no_delta_func, offs,
+                             mv_x, mv_y, mc_type);
                 if (ret < 0)
                     return ret;
             }



More information about the ffmpeg-cvslog mailing list