aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-11-09 23:38:51 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-11-09 23:39:41 +0100
commita93c7ca6ef625188c9ec088c2e75f731b78c9923 (patch)
tree2777c7dcf9327eb0c1cf1fd5947aeb071d5678bf
parentc63e76ba3553d7635b92ac3801f3087e85a76bfb (diff)
downloadffmpeg-a93c7ca6ef625188c9ec088c2e75f731b78c9923.tar.gz
ivi_common: more MV Checks, fixes out of array reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/ivi_common.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 32c0b0fd91..b3b6e9f13b 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -560,6 +560,22 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
mb->mv_y = ref_mb->mv_y;
}
need_mc |= mb->mv_x || mb->mv_y; /* tracking non-zero motion vectors */
+ {
+ int dmv_x, dmv_y, cx, cy;
+
+ dmv_x = mb->mv_x >> band->is_halfpel;
+ dmv_y = mb->mv_y >> band->is_halfpel;
+ cx = mb->mv_x & band->is_halfpel;
+ cy = mb->mv_y & band->is_halfpel;
+
+ if ( mb->xpos + dmv_x < 0
+ || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+ || mb->ypos + dmv_y < 0
+ || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+ av_log(avctx, AV_LOG_ERROR, "MV out of bounds\n");
+ return AVERROR_INVALIDDATA;
+ }
+ }
}
mb++;