[FFmpeg-devel] Crash in hpel_motion

Stefan Gehrer stefan.gehrer
Mon Apr 12 20:16:55 CEST 2010

On 04/12/2010 09:15 AM, Ian McIntosh wrote:
> Hi
> I recently came across a video file (that contained rather heavily
> corrupted H263 video data) that would crash in libavcodec with an
> invalid pointer access in hpel_motion(). The problem was the calculated
> src_y was a negative number (-13) and the calculated src_x was a
> positive number (500) which resulted in the calculation src_y * stride +
> src_x being a negative offset and when added to the pointer src, it
> would point to a location outside of the bounds of the allocated memory.

A negative offset at that point is not necessarily a bug. This is
because depending on some magic flag decoders can use a padding area
around the reference frames in order to handle out-of-frame motion
vectors. So while src does point at least at the top-left corner of
the frame, there can still be lower address values
which are valid to access.

It would be most helpful if you can provide the sample file that
causes the crash and follow the instructions here:


More information about the ffmpeg-devel mailing list