diff options
author | Laurent Aimar <fenrir@videolan.org> | 2011-10-08 23:40:27 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2011-10-09 03:08:02 +0200 |
commit | 09302a897d1990b1338f049fcd29638d736b8823 (patch) | |
tree | d10bdb710e674b1f548704037a54fabfb4d863ce /libavcodec/eatgv.c | |
parent | 74b9c598396f76407c6b3841c10bc67ddddb2a98 (diff) | |
download | ffmpeg-09302a897d1990b1338f049fcd29638d736b8823.tar.gz |
eatgv: fix out of bound reads on corrupted motions vectors.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/eatgv.c')
-rw-r--r-- | libavcodec/eatgv.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 991c5d12b8..f0f42c6592 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst * @return 0 on success, -1 on critical buffer underflow */ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ - unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0]; + unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0]; int num_mvs; int num_blocks_raw; int num_blocks_packed; @@ -211,7 +211,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + x*4 + s->mv_codebook[vector][0]; src_stride = s->last_frame.linesize[0]; - if (src+3*src_stride+3>=frame0_end) + if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end) continue; }else{ int offset = vector - num_mvs; |