[FFmpeg-cvslog] dxa: check vectors of 4x4 motion blocks
Michael Niedermayer
git at videolan.org
Tue May 7 20:41:18 CEST 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue May 7 20:18:41 2013 +0200| [f96e0eb2387f8da7b8177f8f22969853dc648ca6] | committer: Michael Niedermayer
dxa: check vectors of 4x4 motion blocks
Fixes out of array reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f96e0eb2387f8da7b8177f8f22969853dc648ca6
---
libavcodec/dxa.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c
index 2286f33..b2f9b81 100644
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -71,6 +71,11 @@ static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst,
case 4: // motion compensation
x = (*mv) >> 4; if(x & 8) x = 8 - x;
y = (*mv++) & 0xF; if(y & 8) y = 8 - y;
+ if (i < -x || avctx->width - i - 4 < x ||
+ j < -y || avctx->height - j - 4 < y) {
+ av_log(avctx, AV_LOG_ERROR, "MV %d %d out of bounds\n", x,y);
+ return AVERROR_INVALIDDATA;
+ }
tmp2 += x + y*stride;
case 0: // skip
case 5: // skip in method 12
More information about the ffmpeg-cvslog
mailing list