mmvideo: check horizontal coordinate too

Fixes out of array accesses. Bug-Id: CVE-2013-3672 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 70cd3b8e659c3522eea5c16a65d14b8658894a94) Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Michael Niedermayer <michaelni@gmx.at> 2014-08-03 19:24:18 +0100
committer: Anton Khirnov <anton@khirnov.net> 2014-08-05 19:21:40 +0000
commit: bea14966e2a37019cb4e38420868c5bb0542d487 (patch)
tree: c8df821ab1a075158e0a325d3b3934f3a99f55e5 /libavcodec
parent: 6be5a3c0451e8f199ef1da09961aa76c08c87afd (diff)
download: ffmpeg-bea14966e2a37019cb4e38420868c5bb0542d487.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
index abec2e8150..d80c832a31 100644
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -154,6 +154,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert)
             int replace_array = bytestream2_get_byte(&s->gb);
             for(j=0; j<8; j++) {
                 int replace = (replace_array >> (7-j)) & 1;
+                if (x + half_horiz >= s->avctx->width)
+                    return AVERROR_INVALIDDATA;
                 if (replace) {
                     int color = bytestream2_get_byte(&data_ptr);
                     s->frame->data[0][y*s->frame->linesize[0] + x] = color;
author	Michael Niedermayer <michaelni@gmx.at>	2014-08-03 19:24:18 +0100
committer	Anton Khirnov <anton@khirnov.net>	2014-08-05 19:21:40 +0000
commit	bea14966e2a37019cb4e38420868c5bb0542d487 (patch)
tree	c8df821ab1a075158e0a325d3b3934f3a99f55e5 /libavcodec
parent	6be5a3c0451e8f199ef1da09961aa76c08c87afd (diff)
download	ffmpeg-bea14966e2a37019cb4e38420868c5bb0542d487.tar.gz