From a390aa0ea4d537fca1cb3c188206fac927482065 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 5 May 2012 14:27:35 +0200 Subject: [PATCH] eatgv: check motion vectors --- libavcodec/eatgv.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/eatgv.c b/libavcodec/eatgv.c index 34b79af5ae..9484ff1d0d 100644 --- a/libavcodec/eatgv.c +++ b/libavcodec/eatgv.c @@ -136,7 +136,6 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst * @return 0 on success, -1 on critical buffer underflow */ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ - unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0]; int num_mvs; int num_blocks_raw; int num_blocks_packed; @@ -205,12 +204,15 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b int src_stride; if (vector < num_mvs) { - src = s->last_frame.data[0] + - (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + - x*4 + s->mv_codebook[vector][0]; - src_stride = s->last_frame.linesize[0]; - if (src+3*src_stride+3>=frame0_end) + int mx = x * 4 + s->mv_codebook[vector][0]; + int my = y * 4 + s->mv_codebook[vector][1]; + + if ( mx < 0 || mx + 4 > s->avctx->width + || my < 0 || my + 4 > s->avctx->height) continue; + + src = s->last_frame.data[0] + mx + my * s->last_frame.linesize[0]; + src_stride = s->last_frame.linesize[0]; }else{ int offset = vector - num_mvs; if (offset