sanm: Check MV before using them.

Fixes out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-01-29 22:35:37 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-01-29 22:36:18 +0100
commit: dc8dd2f6e972985f3ed237019bc7c70731af8148 (patch)
tree: 24a0a7de4abbc38eb494690f2f16e552d252e507
parent: 1d81f7448c8aa7df4aaed612fcd032dbccbd1a96 (diff)
download: ffmpeg-dc8dd2f6e972985f3ed237019bc7c70731af8148.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 70ad1f8fed..c9284920b6 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -29,6 +29,7 @@
 #include "libavutil/imgutils.h"
 #include "libavcodec/dsputil.h"
 #include "sanm_data.h"
+#include "libavutil/avassert.h"
 
 #define NGLYPHS 256
 
@@ -613,6 +614,16 @@ static int process_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *prev1,
     } else {
         int mx = motion_vectors[code][0];
         int my = motion_vectors[code][1];
+        int index = prev2 - (const uint8_t*)ctx->frm2;
+
+        av_assert2(index >= 0 && index < (ctx->buf_size>>1));
+
+        if (index < - mx - my*stride ||
+            (ctx->buf_size>>1) - index < mx + size + (my + size - 1)*stride) {
+            av_log(ctx->avctx, AV_LOG_ERROR, "MV is invalid \n");
+            return AVERROR_INVALIDDATA;
+        }
+
         for (k = 0; k < size; k++)
             memcpy(dst + k * stride, prev2 + mx + (my + k) * stride, size);
     }
author	Michael Niedermayer <michaelni@gmx.at>	2013-01-29 22:35:37 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-01-29 22:36:18 +0100
commit	dc8dd2f6e972985f3ed237019bc7c70731af8148 (patch)
tree	24a0a7de4abbc38eb494690f2f16e552d252e507
parent	1d81f7448c8aa7df4aaed612fcd032dbccbd1a96 (diff)
download	ffmpeg-dc8dd2f6e972985f3ed237019bc7c70731af8148.tar.gz