On Fri, Dec 16, 2011 at 03:34:08PM +0000, Måns Rullgård wrote: > Aneesh Dogra <[email protected]> writes: > > > While decoding p blocks the decoder can overread from a FourXContext > > motion vector , if a corrupted or a modified bitstream is provided. > > > > Fixes : Bug #110 > > --- > > libavcodec/4xm.c | 2 +- > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > > diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c > > index 21bde52..f7572a8 100644 > > --- a/libavcodec/4xm.c > > +++ b/libavcodec/4xm.c > > @@ -329,7 +329,7 @@ static void decode_p_block(FourXContext *f, uint16_t > > *dst, uint16_t *src, int lo > > > > if(code == 0){ > > src += f->mv[ *f->bytestream++ ]; > > - if(start > src || src > end){ > > + if(start > src || src > end || *f->bytestream+1 >= 256){ > > This looks wrong. Checking the next byte isn't going to do much good, > and why the +1?
f->mv is an array of 256 and bytestream of type const uint8_t* so I'm not sure what can be fixed here _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
