mmvideo: check horizontal coordinate too

Fixes out of array accesses. Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94) Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Michael Niedermayer <michaelni@gmx.at> 2014-08-03 19:24:18 +0100
committer: Anton Khirnov <anton@khirnov.net> 2014-08-05 19:28:47 +0000
commit: ede738880032db62b7dc5b3712f769d3826f5974 (patch)
tree: 215eecf24a62a45dcd195618a2e2cb5f5cd1c16b
parent: 36d8914f1b94e4731d2fc67162902839c106e72e (diff)
download: ffmpeg-ede738880032db62b7dc5b3712f769d3826f5974.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
index 784b939734..e1ae991dee 100644
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -150,6 +150,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert)
             int replace_array = bytestream2_get_byte(&s->gb);
             for(j=0; j<8; j++) {
                 int replace = (replace_array >> (7-j)) & 1;
+                if (x + half_horiz >= s->avctx->width)
+                    return AVERROR_INVALIDDATA;
                 if (replace) {
                     int color = bytestream2_get_byte(&data_ptr);
                     s->frame.data[0][y*s->frame.linesize[0] + x] = color;
author	Michael Niedermayer <michaelni@gmx.at>	2014-08-03 19:24:18 +0100
committer	Anton Khirnov <anton@khirnov.net>	2014-08-05 19:28:47 +0000
commit	ede738880032db62b7dc5b3712f769d3826f5974 (patch)
tree	215eecf24a62a45dcd195618a2e2cb5f5cd1c16b
parent	36d8914f1b94e4731d2fc67162902839c106e72e (diff)
download	ffmpeg-ede738880032db62b7dc5b3712f769d3826f5974.tar.gz