[FFmpeg-cvslog] indeo: check for invalid motion vectors

Kostya Shishkov git at videolan.org
Sun May 20 23:00:48 CEST 2012


ffmpeg | branch: master | Kostya Shishkov <kostya.shishkov at gmail.com> | Sat May 19 16:07:42 2012 +0200| [cf61aaaca16810b9b3a28395ed48fda8db0e87d9] | committer: Kostya Shishkov

indeo: check for invalid motion vectors

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cf61aaaca16810b9b3a28395ed48fda8db0e87d9
---

 libavcodec/ivi_common.c |   16 ++++++++++++++++
 libavcodec/ivi_common.h |    1 +
 2 files changed, 17 insertions(+)

diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 6979231..caa545c 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -212,6 +212,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
             band->width    = b_width;
             band->height   = b_height;
             band->pitch    = width_aligned;
+            band->aheight  = height_aligned;
             band->bufs[0]  = av_mallocz(buf_size);
             band->bufs[1]  = av_mallocz(buf_size);
             if (!band->bufs[0] || !band->bufs[1])
@@ -381,6 +382,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
                 mv_x >>= 1;
                 mv_y >>= 1; /* convert halfpel vectors into fullpel ones */
             }
+            if (mb->type) {
+                int dmv_x, dmv_y, cx, cy;
+
+                dmv_x = mb->mv_x >> band->is_halfpel;
+                dmv_y = mb->mv_y >> band->is_halfpel;
+                cx    = mb->mv_x &  band->is_halfpel;
+                cy    = mb->mv_y &  band->is_halfpel;
+
+                if (   mb->xpos + dmv_x < 0
+                    || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+                    || mb->ypos + dmv_y < 0
+                    || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                    return AVERROR_INVALIDDATA;
+                }
+            }
         }
 
         for (blk = 0; blk < num_blocks; blk++) {
diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h
index 6842d74..8c37b94 100644
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -135,6 +135,7 @@ typedef struct {
     int             band_num;       ///< band number
     int             width;
     int             height;
+    int             aheight;        ///< aligned band height
     const uint8_t   *data_ptr;      ///< ptr to the first byte of the band data
     int             data_size;      ///< size of the band data
     int16_t         *buf;           ///< pointer to the output buffer for this band



More information about the ffmpeg-cvslog mailing list