diff options
| author | Kostya Shishkov <kostya.shishkov@gmail.com> | 2012-05-19 16:07:42 +0200 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-10-14 16:03:23 -0400 |
| commit | c5ec1908597824e93bbe20137ac9662f84f3cb07 (patch) | |
| tree | 951949240b080fbd90bc1a114ebe6bf7aa5f70f5 /libavcodec | |
| parent | b561618014a2413d2b521d03561eb1e2028adbf4 (diff) | |
| download | ffmpeg-c5ec1908597824e93bbe20137ac9662f84f3cb07.tar.gz | |
indeo: check for invalid motion vectors
(cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/ivi_common.c | 16 | ||||
| -rw-r--r-- | libavcodec/ivi_common.h | 1 |
2 files changed, 17 insertions, 0 deletions
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index b8286cd31c..41e66b1bfb 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,6 +212,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; + band->aheight = height_aligned; band->bufs[0] = av_mallocz(buf_size); band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) @@ -383,6 +384,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) mv_x >>= 1; mv_y >>= 1; /* convert halfpel vectors into fullpel ones */ } + if (mb->type) { + int dmv_x, dmv_y, cx, cy; + + dmv_x = mb->mv_x >> band->is_halfpel; + dmv_y = mb->mv_y >> band->is_halfpel; + cx = mb->mv_x & band->is_halfpel; + cy = mb->mv_y & band->is_halfpel; + + if ( mb->xpos + dmv_x < 0 + || mb->xpos + dmv_x + band->mb_size + cx > band->pitch + || mb->ypos + dmv_y < 0 + || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { + return AVERROR_INVALIDDATA; + } + } } for (blk = 0; blk < num_blocks; blk++) { diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index 6842d748b3..8c37b94da5 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -135,6 +135,7 @@ typedef struct { int band_num; ///< band number int width; int height; + int aheight; ///< aligned band height const uint8_t *data_ptr; ///< ptr to the first byte of the band data int data_size; ///< size of the band data int16_t *buf; ///< pointer to the output buffer for this band |