[FFmpeg-cvslog] ivi_common: more MV Checks, fixes out of array reads

Michael Niedermayer git at videolan.org
Fri Nov 9 23:51:06 CET 2012


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Nov  9 23:38:51 2012 +0100| [a93c7ca6ef625188c9ec088c2e75f731b78c9923] | committer: Michael Niedermayer

ivi_common: more MV Checks, fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a93c7ca6ef625188c9ec088c2e75f731b78c9923
---

 libavcodec/ivi_common.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 32c0b0f..b3b6e9f 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -560,6 +560,22 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
                     mb->mv_y = ref_mb->mv_y;
                 }
                 need_mc |= mb->mv_x || mb->mv_y; /* tracking non-zero motion vectors */
+                {
+                    int dmv_x, dmv_y, cx, cy;
+
+                    dmv_x = mb->mv_x >> band->is_halfpel;
+                    dmv_y = mb->mv_y >> band->is_halfpel;
+                    cx    = mb->mv_x &  band->is_halfpel;
+                    cy    = mb->mv_y &  band->is_halfpel;
+
+                    if (   mb->xpos + dmv_x < 0
+                        || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+                        || mb->ypos + dmv_y < 0
+                        || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                        av_log(avctx, AV_LOG_ERROR, "MV out of bounds\n");
+                        return AVERROR_INVALIDDATA;
+                    }
+                }
             }
 
             mb++;



More information about the ffmpeg-cvslog mailing list