From 6fdbaa2b7fb56623ab2163f861952bc1408c39b3 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 8 Jun 2015 22:38:29 +0200 Subject: [PATCH] vp8: change mv_{min,max}.{x,y} type to int If one of the dimensions is larger than 8176, s->mb_width or s->mb_height is larger than 511, leading to an int16_t overflow of s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax. Changing the type to int avoids the overflow and has no negative effect, because s->mv_max is only used in clamp_mv for clipping. Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't increase the absolute value. The input to av_clip is an int16_t, and thus the output fits into int16_t as well. For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range before use. Reviewed-by: Ronald S. Bultje Signed-off-by: Andreas Cadhalpun --- libavcodec/vp8.c | 6 ++++-- libavcodec/vp8.h | 9 +++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index dbba5687f2..becbb2c437 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -757,8 +757,10 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si static av_always_inline void clamp_mv(VP8Context *s, VP56mv *dst, const VP56mv *src) { - dst->x = av_clip(src->x, s->mv_min.x, s->mv_max.x); - dst->y = av_clip(src->y, s->mv_min.y, s->mv_max.y); + dst->x = av_clip(src->x, av_clip(s->mv_min.x, INT16_MIN, INT16_MAX), + av_clip(s->mv_max.x, INT16_MIN, INT16_MAX)); + dst->y = av_clip(src->y, av_clip(s->mv_min.y, INT16_MIN, INT16_MAX), + av_clip(s->mv_max.y, INT16_MIN, INT16_MAX)); } /** diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index b650892735..2135bd9d83 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -134,6 +134,11 @@ typedef struct VP8Frame { AVBufferRef *seg_map; } VP8Frame; +typedef struct VP8intmv { + int x; + int y; +} VP8intmv; + #define MAX_THREADS 8 typedef struct VP8Context { VP8ThreadData *thread_data; @@ -152,8 +157,8 @@ typedef struct VP8Context { uint8_t deblock_filter; uint8_t mbskip_enabled; uint8_t profile; - VP56mv mv_min; - VP56mv mv_max; + VP8intmv mv_min; + VP8intmv mv_max; int8_t sign_bias[4]; ///< one state [0, 1] per ref frame type int ref_count[3];