[FFmpeg-cvslog] bink: fix out of reference frame read
Michael Niedermayer
git at videolan.org
Thu Jun 7 01:44:21 CEST 2012
ffmpeg | branch: release/0.11 | Michael Niedermayer <michaelni at gmx.at> | Sat Jun 2 19:56:10 2012 +0200| [95b1cbc4cb86d839cc827f083af9491cec1703c1] | committer: Michael Niedermayer
bink: fix out of reference frame read
Fixes Ticket1374
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit b3675f890abee0bc446495711223a5c790234672)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95b1cbc4cb86d839cc827f083af9491cec1703c1
---
libavcodec/bink.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index 8a9367d..4ad2e6f 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -1128,6 +1128,11 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
xoff = get_value(c, BINK_SRC_X_OFF);
yoff = get_value(c, BINK_SRC_Y_OFF);
ref = prev + xoff + yoff * stride;
+ if (ref < ref_start || ref > ref_end) {
+ av_log(c->avctx, AV_LOG_ERROR, "Copy out of bounds @%d, %d\n",
+ bx*8 + xoff, by*8 + yoff);
+ return -1;
+ }
c->dsp.put_pixels_tab[1][0](dst, ref, stride, 8);
memset(dctblock, 0, sizeof(*dctblock) * 64);
dctblock[0] = get_value(c, BINK_SRC_INTER_DC);
More information about the ffmpeg-cvslog
mailing list