aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuca Barbato <lu_zero@gentoo.org>2013-06-09 18:27:05 +0200
committerReinhard Tartler <siretart@tauware.de>2013-06-30 16:39:08 +0200
commit0c943d1cdd18d0aea4ebc15f18a1152f7a77e5c9 (patch)
treed5adc3ce18c0fce910b9d4b15db0ac730fe45b5c
parent6a4f1e784e39c82194a485995906d9917d4619b2 (diff)
downloadffmpeg-0c943d1cdd18d0aea4ebc15f18a1152f7a77e5c9.tar.gz
4xm: do not overread the source buffer in decode_p_block
Check for out of picture macroblocks before calling mcdc. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 94aefb1932be882fd93f66cf790ceb19ff575c19) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/4xm.c
-rw-r--r--libavcodec/4xm.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index e9f08c3729..77d15d5803 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -343,6 +343,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
decode_p_block(f, dst , src , log2w, log2h, stride);
decode_p_block(f, dst + (1<<log2w), src + (1<<log2w), log2w, log2h, stride);
}else if(code == 3 && f->version<2){
+ if (start > src || src > end) {
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+ return;
+ }
mcdc(dst, src, log2w, h, stride, 1, 0);
}else if(code == 4){
src += f->mv[bytestream2_get_byte(&f->g)];
@@ -352,6 +356,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
}
mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2));
}else if(code == 5){
+ if (start > src || src > end) {
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+ return;
+ }
mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
}else if(code == 6){
if(log2w){