aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-03-04 22:32:44 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-03-04 23:06:56 +0100
commit56ffa3fefb22605ac6507efa046ebddc38301521 (patch)
treee831104a300aeca9f7ab60ba071cc762e95f48ac
parent14aa1ba8020ef66b4463e92e9bb8d699ebbd5ba9 (diff)
downloadffmpeg-56ffa3fefb22605ac6507efa046ebddc38301521.tar.gz
indeo3: Check motion vectors.
Fixes overread of reference frame. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/indeo3.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 83effae859..54389a1abf 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -584,6 +584,13 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
/* set the pointer to the reference pixels for modes 0-4 INTER */
mv_y = cell->mv_ptr[0];
mv_x = cell->mv_ptr[1];
+ if ( mv_x + 4*cell->xpos < 0
+ || mv_y + 4*cell->ypos < 0
+ || mv_x + 4*cell->xpos + 4*cell->width > plane->width
+ || mv_y + 4*cell->ypos + 4*cell->height > plane->height) {
+ av_log(avctx, AV_LOG_ERROR, "motion vector %d %d outside reference\n", mv_x + 4*cell->xpos, mv_y + 4*cell->ypos);
+ return AVERROR_INVALIDDATA;
+ }
offset += mv_y * plane->pitch + mv_x;
ref_block = plane->pixels[ctx->buf_sel ^ 1] + offset;
}