On Fri, Dec 16, 2011 at 08:47:35PM +0530, Aneesh Dogra wrote:
> While decoding p blocks the decoder can overread from a FourXContext
> motion vector , if a corrupted or a modified bitstream is provided.
>
> Fixes : Bug #110
> ---
> libavcodec/4xm.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
> index 21bde52..f7572a8 100644
> --- a/libavcodec/4xm.c
> +++ b/libavcodec/4xm.c
> @@ -329,7 +329,7 @@ static void decode_p_block(FourXContext *f, uint16_t
> *dst, uint16_t *src, int lo
>
> if(code == 0){
> src += f->mv[ *f->bytestream++ ];
> - if(start > src || src > end){
> + if(start > src || src > end || *f->bytestream+1 >= 256){
> av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
> return;
> }
> --
the patch is wrong - it checks next byte value instead of used one
and still overreads
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
