From 6071644287d2a7471d906b688cb7253a5ceaaa8a Mon Sep 17 00:00:00 2001 From: Hendrik Leppkes Date: Wed, 25 Jan 2012 17:37:26 +0100 Subject: [PATCH] indeo3: fix motion vector validation The index of the motion vector has to be checked before being multiplied by 2 for the array index. Signed-off-by: Michael Niedermayer --- libavcodec/indeo3.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index ce84d72f8b..fc38f5e9cb 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -772,13 +772,12 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx, /* get motion vector index and setup the pointer to the mv set */ if (!ctx->need_resync) ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3]; - if(ctx->mc_vectors) - mv_idx = *(ctx->next_cell_data++) << 1; + mv_idx = *(ctx->next_cell_data++); if (mv_idx >= ctx->num_vectors) { av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n"); return AVERROR_INVALIDDATA; } - curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx]; + curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx << 1]; curr_cell.tree = 1; /* enter the VQ tree */ UPDATE_BITPOS(8); } else { /* VQ tree DATA code */