[FFmpeg-cvslog] indeo: check for invalid motion vectors

Kostya Shishkov git at videolan.org
Mon Feb 18 01:09:44 CET 2013


ffmpeg | branch: release/0.7 | Kostya Shishkov <kostya.shishkov at gmail.com> | Sat May 19 16:07:42 2012 +0200| [3c0f84402b2b12a9982e59d584768a3a5ef454f5] | committer: Reinhard Tartler

indeo: check for invalid motion vectors

(cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3c0f84402b2b12a9982e59d584768a3a5ef454f5
---

 libavcodec/ivi_common.c |   16 ++++++++++++++++
 libavcodec/ivi_common.h |    1 +
 2 files changed, 17 insertions(+)

diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 2cd65e5..22af3a7 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -212,6 +212,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
             band->width    = b_width;
             band->height   = b_height;
             band->pitch    = width_aligned;
+            band->aheight  = height_aligned;
             band->bufs[0]  = av_mallocz(buf_size);
             band->bufs[1]  = av_mallocz(buf_size);
             if (!band->bufs[0] || !band->bufs[1])
@@ -382,6 +383,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
                 mv_x >>= 1;
                 mv_y >>= 1; /* convert halfpel vectors into fullpel ones */
             }
+            if (mb->type) {
+                int dmv_x, dmv_y, cx, cy;
+
+                dmv_x = mb->mv_x >> band->is_halfpel;
+                dmv_y = mb->mv_y >> band->is_halfpel;
+                cx    = mb->mv_x &  band->is_halfpel;
+                cy    = mb->mv_y &  band->is_halfpel;
+
+                if (   mb->xpos + dmv_x < 0
+                    || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+                    || mb->ypos + dmv_y < 0
+                    || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                    return AVERROR_INVALIDDATA;
+                }
+            }
         }
 
         for (blk = 0; blk < num_blocks; blk++) {
diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h
index fd3d825..cd9847d 100644
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -132,6 +132,7 @@ typedef struct {
     int             band_num;       ///< band number
     int             width;
     int             height;
+    int             aheight;        ///< aligned band height
     const uint8_t   *data_ptr;      ///< ptr to the first byte of the band data
     int             data_size;      ///< size of the band data
     int16_t         *buf;           ///< pointer to the output buffer for this band



More information about the ffmpeg-cvslog mailing list