aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-03-26 02:24:36 +0200
committerMichael Niedermayer <michaelni@gmx.at>2012-03-26 03:45:45 +0200
commitc855ece101cd960ddd20eabd5f295e0b02b71dcc (patch)
treeb3fde5e9dd2e3fedbaf7df4844402ea61aa91e45 /libavcodec
parent33f39c02aa0d6d2479a95669fe36cd45fe7f3bb8 (diff)
downloadffmpeg-c855ece101cd960ddd20eabd5f295e0b02b71dcc.tar.gz
indeo5: check motion vectors.
fixes out of frame reading Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/indeo5.c11
-rw-r--r--libavcodec/ivi_common.c1
2 files changed, 11 insertions, 1 deletions
diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 2bacfa2885..52be725721 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -450,7 +450,7 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band,
IVITile *tile, AVCodecContext *avctx)
{
int x, y, mv_x, mv_y, mv_delta, offs, mb_offset,
- mv_scale, blks_per_mb;
+ mv_scale, blks_per_mb, s;
IVIMbInfo *mb, *ref_mb;
int row_offset = band->mb_size * band->pitch;
@@ -550,6 +550,15 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band,
}
}
+ s= band->is_halfpel;
+ if (mb->type)
+ if ( x + (mb->mv_x >>s) + (y+ (mb->mv_y >>s))*band->pitch < 0 ||
+ x + ((mb->mv_x+s)>>s) + band->mb_size - 1
+ + (y+band->mb_size - 1 +((mb->mv_y+s)>>s))*band->pitch > band->bufsize - 1) {
+ av_log(avctx, AV_LOG_ERROR, "motion vector %d %d outside reference\n", x*s + mb->mv_x, y*s + mb->mv_y);
+ return AVERROR_INVALIDDATA;
+ }
+
mb++;
if (ref_mb)
ref_mb++;
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index c593ee942f..1e55721c40 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -209,6 +209,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
band->pitch = width_aligned;
band->bufs[0] = av_malloc(buf_size);
band->bufs[1] = av_malloc(buf_size);
+ band->bufsize = buf_size/2;
if (!band->bufs[0] || !band->bufs[1])
return AVERROR(ENOMEM);