[FFmpeg-cvslog] indeo3dec: check mv bitstream pointer

Michael Niedermayer git at videolan.org
Mon Mar 26 22:26:57 CEST 2012


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Mar 26 22:11:53 2012 +0200| [a84851bef8b7c99708ac5c7d0cddd6f8a7ee4d9e] | committer: Michael Niedermayer

indeo3dec: check mv bitstream pointer

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a84851bef8b7c99708ac5c7d0cddd6f8a7ee4d9e
---

 libavcodec/indeo3.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 62cd835..c24252a 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -801,6 +801,10 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                 /* get motion vector index and setup the pointer to the mv set */
                 if (!ctx->need_resync)
                     ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3];
+                if (ctx->next_cell_data >= ctx->last_byte) {
+                    av_log(avctx, AV_LOG_ERROR, "motion vector out of array\n");
+                    return AVERROR_INVALIDDATA;
+                }
                 mv_idx = *(ctx->next_cell_data++);
                 if (mv_idx >= ctx->num_vectors) {
                     av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n");



More information about the ffmpeg-cvslog mailing list