[FFmpeg-cvslog] dxa: check vectors of 2x2 motion blocks

Michael Niedermayer git at videolan.org
Tue May 7 20:41:19 CEST 2013


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue May  7 20:33:33 2013 +0200| [ead590c2561980f2afda38a662364659577dca38] | committer: Michael Niedermayer

dxa: check vectors of 2x2 motion blocks

Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ead590c2561980f2afda38a662364659577dca38
---

 libavcodec/dxa.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c
index b2f9b81..d30bfb2 100644
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -133,6 +133,11 @@ static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst,
                     case 0x80: // motion compensation
                         x = (*mv) >> 4;    if(x & 8) x = 8 - x;
                         y = (*mv++) & 0xF; if(y & 8) y = 8 - y;
+                        if (i + 2*(k & 1) < -x || avctx->width  - i - 2*(k & 1) - 2 < x ||
+                            j +   (k & 2) < -y || avctx->height - j -   (k & 2) - 2 < y) {
+                            av_log(avctx, AV_LOG_ERROR, "MV %d %d out of bounds\n", x,y);
+                            return AVERROR_INVALIDDATA;
+                        }
                         tmp2 += x + y*stride;
                     case 0x00: // skip
                         tmp[d + 0         ] = tmp2[0];



More information about the ffmpeg-cvslog mailing list