From 56ffa3fefb22605ac6507efa046ebddc38301521 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 4 Mar 2012 22:32:44 +0100
Subject: [PATCH] indeo3: Check motion vectors.

Fixes overread of reference frame.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/indeo3.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 83effae859..54389a1abf 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -584,6 +584,13 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
         /* set the pointer to the reference pixels for modes 0-4 INTER */
         mv_y      = cell->mv_ptr[0];
         mv_x      = cell->mv_ptr[1];
+        if (   mv_x + 4*cell->xpos < 0
+            || mv_y + 4*cell->ypos < 0
+            || mv_x + 4*cell->xpos + 4*cell->width  > plane->width
+            || mv_y + 4*cell->ypos + 4*cell->height > plane->height) {
+            av_log(avctx, AV_LOG_ERROR, "motion vector %d %d outside reference\n", mv_x + 4*cell->xpos, mv_y + 4*cell->ypos);
+            return AVERROR_INVALIDDATA;
+        }
         offset   += mv_y * plane->pitch + mv_x;
         ref_block = plane->pixels[ctx->buf_sel ^ 1] + offset;
     }