[FFmpeg-cvslog] indeo5: check motion vectors.

Michael Niedermayer git at videolan.org
Mon Mar 26 04:05:44 CEST 2012


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Mar 26 02:24:36 2012 +0200| [c855ece101cd960ddd20eabd5f295e0b02b71dcc] | committer: Michael Niedermayer

indeo5: check motion vectors.

fixes out of frame reading

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c855ece101cd960ddd20eabd5f295e0b02b71dcc
---

 libavcodec/indeo5.c     |   11 ++++++++++-
 libavcodec/ivi_common.c |    1 +
 2 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 2bacfa2..52be725 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -450,7 +450,7 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band,
                           IVITile *tile, AVCodecContext *avctx)
 {
     int         x, y, mv_x, mv_y, mv_delta, offs, mb_offset,
-                mv_scale, blks_per_mb;
+                mv_scale, blks_per_mb, s;
     IVIMbInfo   *mb, *ref_mb;
     int         row_offset = band->mb_size * band->pitch;
 
@@ -550,6 +550,15 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band,
                 }
             }
 
+            s= band->is_halfpel;
+            if (mb->type)
+            if ( x +  (mb->mv_x   >>s) +                 (y+               (mb->mv_y   >>s))*band->pitch < 0 ||
+                 x + ((mb->mv_x+s)>>s) + band->mb_size - 1
+                   + (y+band->mb_size - 1 +((mb->mv_y+s)>>s))*band->pitch > band->bufsize - 1) {
+                av_log(avctx, AV_LOG_ERROR, "motion vector %d %d outside reference\n", x*s + mb->mv_x, y*s + mb->mv_y);
+                return AVERROR_INVALIDDATA;
+            }
+
             mb++;
             if (ref_mb)
                 ref_mb++;
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index c593ee9..1e55721 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -209,6 +209,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
             band->pitch    = width_aligned;
             band->bufs[0]  = av_malloc(buf_size);
             band->bufs[1]  = av_malloc(buf_size);
+            band->bufsize  = buf_size/2;
             if (!band->bufs[0] || !band->bufs[1])
                 return AVERROR(ENOMEM);
 



More information about the ffmpeg-cvslog mailing list