diff options
| author | Laurent Aimar <fenrir@videolan.org> | 2011-10-08 23:40:27 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-04 01:00:29 +0100 |
| commit | 44740513709cb326667fc8b7d24abb6e16aacee6 (patch) | |
| tree | 2353bdbbc403dcc330d4771456169fb7ceab68fc /libavcodec | |
| parent | 1646d2d2ae20c32b075cf271c7b276a1d587ebe4 (diff) | |
| download | ffmpeg-44740513709cb326667fc8b7d24abb6e16aacee6.tar.gz | |
eatgv: fix out of bound reads on corrupted motions vectors.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 09302a897d1990b1338f049fcd29638d736b8823)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/eatgv.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 0855f10417..f50a308467 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst * @return 0 on success, -1 on critical buffer underflow */ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ - unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0]; + unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0]; int num_mvs; int num_blocks_raw; int num_blocks_packed; @@ -211,7 +211,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + x*4 + s->mv_codebook[vector][0]; src_stride = s->last_frame.linesize[0]; - if (src+3*src_stride+3>=frame0_end) + if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end) continue; }else{ int offset = vector - num_mvs; |