RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

4xm: do not overread the source buffer in decode_p_block 

Check for out of picture macroblocks before calling mcdc.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Luca Barbato 2013-06-09 18:27:05 +02:00
parent be373cb50d
commit 94aefb1932
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/4xm.c
View File

@ -370,6 +370,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
log2w, log2h, stride)) < 0) log2w, log2h, stride)) < 0)
return ret; return ret;
} else if (code == 3 && f->version < 2) { } else if (code == 3 && f->version < 2) {
if (start > src || src > end) {
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
return AVERROR_INVALIDDATA;
}
mcdc(dst, src, log2w, h, stride, 1, 0); mcdc(dst, src, log2w, h, stride, 1, 0);
} else if (code == 4) { } else if (code == 4) {
src += f->mv[bytestream2_get_byte(&f->g)]; src += f->mv[bytestream2_get_byte(&f->g)];
@ -379,6 +383,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
} }
mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2));
} else if (code == 5) { } else if (code == 5) {
if (start > src || src > end) {
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
return AVERROR_INVALIDDATA;
}
mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
} else if (code == 6) { } else if (code == 6) {
if (log2w) { if (log2w) {