diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2007-09-05 01:14:17 +0000 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2007-09-05 01:14:17 +0000 |
| commit | f9f835ee894331e0653f01052266b9ff6bbd7301 (patch) | |
| tree | 247b272e0cfdddb435467705ca2d24149ba093e2 | |
| parent | 46491f138c4baeaaaaa3cfd4dec0a1f0aa08d360 (diff) | |
| download | ffmpeg-f9f835ee894331e0653f01052266b9ff6bbd7301.tar.gz | |
fix segfault with dracula.4xm
closes issue132
Originally committed as revision 10392 to svn://svn.ffmpeg.org/ffmpeg/trunk
| -rw-r--r-- | libavcodec/4xm.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 83e1b92ec4..79f754b54e 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -301,11 +301,17 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo const int index= size2index[log2h][log2w]; const int h= 1<<log2h; int code= get_vlc2(&f->gb, block_type_vlc[1-f->version][index].table, BLOCK_TYPE_VLC_BITS, 1); + uint16_t *start= f->last_picture.data[0]; + uint16_t *end= start + stride*(f->avctx->height-h+1) - (1<<log2w); assert(code>=0 && code<=6); if(code == 0){ src += f->mv[ *f->bytestream++ ]; + if(start > src || src > end){ + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return; + } mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 1){ log2h--; @@ -319,6 +325,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ src += f->mv[ *f->bytestream++ ]; + if(start > src || src > end){ + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return; + } mcdc(dst, src, log2w, h, stride, 1, le2me_16(*f->wordstream++)); }else if(code == 5){ mcdc(dst, src, log2w, h, stride, 0, le2me_16(*f->wordstream++)); |