diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-04 22:32:44 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-04 23:06:56 +0100 |
commit | 56ffa3fefb22605ac6507efa046ebddc38301521 (patch) | |
tree | e831104a300aeca9f7ab60ba071cc762e95f48ac | |
parent | 14aa1ba8020ef66b4463e92e9bb8d699ebbd5ba9 (diff) | |
download | ffmpeg-56ffa3fefb22605ac6507efa046ebddc38301521.tar.gz |
indeo3: Check motion vectors.
Fixes overread of reference frame.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/indeo3.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index 83effae859..54389a1abf 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -584,6 +584,13 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx, /* set the pointer to the reference pixels for modes 0-4 INTER */ mv_y = cell->mv_ptr[0]; mv_x = cell->mv_ptr[1]; + if ( mv_x + 4*cell->xpos < 0 + || mv_y + 4*cell->ypos < 0 + || mv_x + 4*cell->xpos + 4*cell->width > plane->width + || mv_y + 4*cell->ypos + 4*cell->height > plane->height) { + av_log(avctx, AV_LOG_ERROR, "motion vector %d %d outside reference\n", mv_x + 4*cell->xpos, mv_y + 4*cell->ypos); + return AVERROR_INVALIDDATA; + } offset += mv_y * plane->pitch + mv_x; ref_block = plane->pixels[ctx->buf_sel ^ 1] + offset; } |