[FFmpeg-devel] [PATCH] dvenc: Prevent out-of-bounds read

Fri Nov 17 18:20:55 EET 2017

mb_area_start has 5 entries, and 'a' is iterated through from 0 to 3.
'a2' is set to 'a + 1', and mb_area_start[a2 + 1] is accessed, so if
a is 3, then we try to access mb_area_start[5].

Signed-off-by: Derek Buitenhuis <derek.buitenhuis at gmail.com>
---
I'm not 100% sure if this fix is /correct/, so hopefully someone
knows the DV code...
---
 libavcodec/dvenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dvenc.c b/libavcodec/dvenc.c
index ce2fc75daa..b79cbebb04 100644
--- a/libavcodec/dvenc.c
+++ b/libavcodec/dvenc.c
@@ -383,7 +383,7 @@ static inline void dv_guess_qnos(EncBlockInfo *blks, int *qnos)
                                 prev            = k;
                             } else {
                                 if (b->next[k] >= mb_area_start[a + 1] && b->next[k] < 64) {
-                                    for (a2 = a + 1; b->next[k] >= mb_area_start[a2 + 1]; a2++)
+                                    for (a2 = a + 1; a2 < 4 && b->next[k] >= mb_area_start[a2 + 1]; a2++)
                                         b->prev[a2] = prev;
                                     av_assert2(a2 < 4);
                                     av_assert2(b->mb[b->next[k]]);
-- 
2.15.0

