[FFmpeg-cvslog] qpeg: fix an off by 1 error in the MV check
Anton Khirnov
git at videolan.org
Sun Mar 19 18:40:23 EET 2017
ffmpeg | branch: master | Anton Khirnov <anton at khirnov.net> | Sun Aug 14 10:18:39 2016 +0200| [bba9d8bdfb208b0ec2ccf182530347151ee3528b] | committer: Anton Khirnov
qpeg: fix an off by 1 error in the MV check
height - me_y is the line from which we read, so it must be strictly
smaller than the frame height. Fixes possible invalid reads in corrupted
files.
Also, use a proper context for logging the error.
CC: libav-stable at libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bba9d8bdfb208b0ec2ccf182530347151ee3528b
---
libavcodec/qpeg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index f549cd5..3a2e56c 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -161,9 +161,9 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
/* check motion vector */
if ((me_x + filled < 0) || (me_x + me_w + filled > width) ||
- (height - me_y - me_h < 0) || (height - me_y > orig_height) ||
+ (height - me_y - me_h < 0) || (height - me_y >= orig_height) ||
(filled + me_w > width) || (height - me_h < 0))
- av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n",
+ av_log(qctx->avctx, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n",
me_x, me_y, me_w, me_h, filled, height);
else {
/* do motion compensation */
More information about the ffmpeg-cvslog
mailing list