[FFmpeg-devel] [PATCH 4/6] avcodec/bink: Avoid undefined out of array end pointers in binkb_decode_plane()
Michael Niedermayer
michael at niedermayer.cc
Wed Jan 11 22:42:19 EET 2023
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/bink.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index a3140114f0..15fc9d29ed 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -870,7 +870,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
binkb_init_bundles(c);
ref_start = frame->data[plane_idx];
- ref_end = frame->data[plane_idx] + (bh * frame->linesize[plane_idx] + bw - 1) * 8;
+ ref_end = frame->data[plane_idx] + ((bh - 1) * frame->linesize[plane_idx] + bw - 1) * 8;
for (i = 0; i < 64; i++)
coordmap[i] = (i & 7) + (i >> 3) * stride;
@@ -926,7 +926,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
ref = dst + xoff + yoff * stride;
- if (ref < ref_start || ref + 8*stride > ref_end) {
+ if (ref < ref_start || ref > ref_end) {
av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
} else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
c->put_pixels_tab(dst, ref, stride, 8);
@@ -942,7 +942,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
ref = dst + xoff + yoff * stride;
- if (ref < ref_start || ref + 8 * stride > ref_end) {
+ if (ref < ref_start || ref > ref_end) {
av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
} else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
c->put_pixels_tab(dst, ref, stride, 8);
@@ -974,7 +974,7 @@ static int binkb_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb,
xoff = binkb_get_value(c, BINKB_SRC_X_OFF);
yoff = binkb_get_value(c, BINKB_SRC_Y_OFF) + ybias;
ref = dst + xoff + yoff * stride;
- if (ref < ref_start || ref + 8 * stride > ref_end) {
+ if (ref < ref_start || ref > ref_end) {
av_log(c->avctx, AV_LOG_WARNING, "Reference block is out of bounds\n");
} else if (ref + 8*stride < dst || ref >= dst + 8*stride) {
c->put_pixels_tab(dst, ref, stride, 8);
--
2.17.1
More information about the ffmpeg-devel
mailing list