avcodec/qpeg: fix off by 1 error in MV bounds check

Fixes out of array access Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-10-03 21:08:52 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2014-12-21 04:40:04 +0100
commit: 86e57695257fde22da2045b6468ccaef34e848a5 (patch)
tree: a8cba3b1cf592a961c19cf2ddd70f3f8b65a45d6 /libavcodec/qpeg.c
parent: d37e539d5ef08932c316cf50c00d52cc15e6b413 (diff)
download: ffmpeg-86e57695257fde22da2045b6468ccaef34e848a5.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index 2446060cdb..f0cf376c02 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -163,7 +163,7 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
 
                     /* check motion vector */
                     if ((me_x + filled < 0) || (me_x + me_w + filled > width) ||
-                       (height - me_y - me_h < 0) || (height - me_y > orig_height) ||
+                       (height - me_y - me_h < 0) || (height - me_y >= orig_height) ||
                        (filled + me_w > width) || (height - me_h < 0))
                         av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n",
                                me_x, me_y, me_w, me_h, filled, height);
author	Michael Niedermayer <michaelni@gmx.at>	2014-10-03 21:08:52 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2014-12-21 04:40:04 +0100
commit	86e57695257fde22da2045b6468ccaef34e848a5 (patch)
tree	a8cba3b1cf592a961c19cf2ddd70f3f8b65a45d6 /libavcodec/qpeg.c
parent	d37e539d5ef08932c316cf50c00d52cc15e6b413 (diff)
download	ffmpeg-86e57695257fde22da2045b6468ccaef34e848a5.tar.gz