Aneesh Dogra <[email protected]> writes: > While decoding p blocks the decoder can overread from a FourXContext > motion vector , if a corrupted or a modified bitstream is provided. > > Fixes : Bug #110 > --- > libavcodec/4xm.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c > index 21bde52..f7572a8 100644 > --- a/libavcodec/4xm.c > +++ b/libavcodec/4xm.c > @@ -329,7 +329,7 @@ static void decode_p_block(FourXContext *f, uint16_t > *dst, uint16_t *src, int lo > > if(code == 0){ > src += f->mv[ *f->bytestream++ ]; > - if(start > src || src > end){ > + if(start > src || src > end || *f->bytestream+1 >= 256){
This looks wrong. Checking the next byte isn't going to do much good, and why the +1? -- Måns Rullgård [email protected] _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
