Module: libav Branch: release/0.8 Commit: 0c943d1cdd18d0aea4ebc15f18a1152f7a77e5c9
Author: Luca Barbato <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Sun Jun 9 18:27:05 2013 +0200 4xm: do not overread the source buffer in decode_p_block Check for out of picture macroblocks before calling mcdc. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] (cherry picked from commit 94aefb1932be882fd93f66cf790ceb19ff575c19) Signed-off-by: Reinhard Tartler <[email protected]> Conflicts: libavcodec/4xm.c --- libavcodec/4xm.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index e9f08c3..77d15d5 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -343,6 +343,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo decode_p_block(f, dst , src , log2w, log2h, stride); decode_p_block(f, dst + (1<<log2w), src + (1<<log2w), log2w, log2h, stride); }else if(code == 3 && f->version<2){ + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return; + } mcdc(dst, src, log2w, h, stride, 1, 0); }else if(code == 4){ src += f->mv[bytestream2_get_byte(&f->g)]; @@ -352,6 +356,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo } mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); }else if(code == 5){ + if (start > src || src > end) { + av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); + return; + } mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); }else if(code == 6){ if(log2w){ _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
