diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-26 02:24:36 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-26 03:45:45 +0200 |
commit | c855ece101cd960ddd20eabd5f295e0b02b71dcc (patch) | |
tree | b3fde5e9dd2e3fedbaf7df4844402ea61aa91e45 /libavcodec | |
parent | 33f39c02aa0d6d2479a95669fe36cd45fe7f3bb8 (diff) | |
download | ffmpeg-c855ece101cd960ddd20eabd5f295e0b02b71dcc.tar.gz |
indeo5: check motion vectors.
fixes out of frame reading
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/indeo5.c | 11 | ||||
-rw-r--r-- | libavcodec/ivi_common.c | 1 |
2 files changed, 11 insertions, 1 deletions
diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 2bacfa2885..52be725721 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -450,7 +450,7 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, IVITile *tile, AVCodecContext *avctx) { int x, y, mv_x, mv_y, mv_delta, offs, mb_offset, - mv_scale, blks_per_mb; + mv_scale, blks_per_mb, s; IVIMbInfo *mb, *ref_mb; int row_offset = band->mb_size * band->pitch; @@ -550,6 +550,15 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, } } + s= band->is_halfpel; + if (mb->type) + if ( x + (mb->mv_x >>s) + (y+ (mb->mv_y >>s))*band->pitch < 0 || + x + ((mb->mv_x+s)>>s) + band->mb_size - 1 + + (y+band->mb_size - 1 +((mb->mv_y+s)>>s))*band->pitch > band->bufsize - 1) { + av_log(avctx, AV_LOG_ERROR, "motion vector %d %d outside reference\n", x*s + mb->mv_x, y*s + mb->mv_y); + return AVERROR_INVALIDDATA; + } + mb++; if (ref_mb) ref_mb++; diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index c593ee942f..1e55721c40 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -209,6 +209,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->pitch = width_aligned; band->bufs[0] = av_malloc(buf_size); band->bufs[1] = av_malloc(buf_size); + band->bufsize = buf_size/2; if (!band->bufs[0] || !band->bufs[1]) return AVERROR(ENOMEM); |