[FFmpeg-cvslog] dxa: check vectors of 4x4 motion blocks
Michael Niedermayer
git at videolan.org
Thu Jan 16 02:46:58 CET 2014
ffmpeg | branch: release/1.2 | Michael Niedermayer <michaelni at gmx.at> | Tue May 7 20:18:41 2013 +0200| [7855083443e059503731371d0eab011ae573708c] | committer: Michael Niedermayer
dxa: check vectors of 4x4 motion blocks
Fixes out of array reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit f96e0eb2387f8da7b8177f8f22969853dc648ca6)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7855083443e059503731371d0eab011ae573708c
---
libavcodec/dxa.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c
index a2fe557..97c30d5 100644
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -71,6 +71,11 @@ static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst, uint
case 4: // motion compensation
x = (*mv) >> 4; if(x & 8) x = 8 - x;
y = (*mv++) & 0xF; if(y & 8) y = 8 - y;
+ if (i < -x || avctx->width - i - 4 < x ||
+ j < -y || avctx->height - j - 4 < y) {
+ av_log(avctx, AV_LOG_ERROR, "MV %d %d out of bounds\n", x,y);
+ return AVERROR_INVALIDDATA;
+ }
tmp2 += x + y*stride;
case 0: // skip
case 5: // skip in method 12
More information about the ffmpeg-cvslog
mailing list