[FFmpeg-cvslog] dxa: check vectors of 2x2 motion blocks
Michael Niedermayer
git at videolan.org
Tue May 7 20:41:19 CEST 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue May 7 20:33:33 2013 +0200| [ead590c2561980f2afda38a662364659577dca38] | committer: Michael Niedermayer
dxa: check vectors of 2x2 motion blocks
Fixes out of array reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ead590c2561980f2afda38a662364659577dca38
---
libavcodec/dxa.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/dxa.c b/libavcodec/dxa.c
index b2f9b81..d30bfb2 100644
--- a/libavcodec/dxa.c
+++ b/libavcodec/dxa.c
@@ -133,6 +133,11 @@ static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst,
case 0x80: // motion compensation
x = (*mv) >> 4; if(x & 8) x = 8 - x;
y = (*mv++) & 0xF; if(y & 8) y = 8 - y;
+ if (i + 2*(k & 1) < -x || avctx->width - i - 2*(k & 1) - 2 < x ||
+ j + (k & 2) < -y || avctx->height - j - (k & 2) - 2 < y) {
+ av_log(avctx, AV_LOG_ERROR, "MV %d %d out of bounds\n", x,y);
+ return AVERROR_INVALIDDATA;
+ }
tmp2 += x + y*stride;
case 0x00: // skip
tmp[d + 0 ] = tmp2[0];
More information about the ffmpeg-cvslog
mailing list