[FFmpeg-cvslog] avcodec/qpeg: fix off by 1 error in MV bounds check

Michael Niedermayer git at videolan.org
Fri Oct 3 21:32:04 CEST 2014


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Oct  3 21:08:52 2014 +0200| [dd3bfe3cc1ca26d0fff3a3baf61a40207032143f] | committer: Michael Niedermayer

avcodec/qpeg: fix off by 1 error in MV bounds check

Fixes out of array access
Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dd3bfe3cc1ca26d0fff3a3baf61a40207032143f
---

 libavcodec/qpeg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index 94cb5bd..d61bcea 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -163,7 +163,7 @@ static void av_noinline qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
 
                     /* check motion vector */
                     if ((me_x + filled < 0) || (me_x + me_w + filled > width) ||
-                       (height - me_y - me_h < 0) || (height - me_y > orig_height) ||
+                       (height - me_y - me_h < 0) || (height - me_y >= orig_height) ||
                        (filled + me_w > width) || (height - me_h < 0))
                         av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n",
                                me_x, me_y, me_w, me_h, filled, height);



More information about the ffmpeg-cvslog mailing list