On 5 January 2012 22:15, Janne Grunau <[email protected]> wrote: > From: Michael Niedermayer <[email protected]> > > Bug found by: Oana Stratulat > > Signed-off-by: Janne Grunau <[email protected]> > --- > libavcodec/indeo3.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c > index 46efbd8..574b11c 100644 > --- a/libavcodec/indeo3.c > +++ b/libavcodec/indeo3.c > @@ -767,7 +767,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, > AVCodecContext *avctx, > /* get motion vector index and setup the pointer to the mv > set */ > if (!ctx->need_resync) > ctx->next_cell_data = > &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3]; > - curr_cell.mv_ptr = &ctx->mc_vectors[*(ctx->next_cell_data++) > << 1]; > + if (ctx->mc_vectors) > + curr_cell.mv_ptr = > &ctx->mc_vectors[*(ctx->next_cell_data++) << 1]; > curr_cell.tree = 1; /* enter the VQ tree */ > UPDATE_BITPOS(8); > } else { /* VQ tree DATA code */ > @@ -797,7 +798,7 @@ static int decode_plane(Indeo3DecodeContext *ctx, > AVCodecContext *avctx, > int32_t strip_width) > { > Cell curr_cell; > - int num_vectors; > + unsigned num_vectors; > > /* each plane data starts with mc_vector_count field, */ > /* an optional array of motion vectors followed by the vq data */ > --
I strongly suspect that this situation deserves an error message. Additionally, it can be handled better: we should check read value to be less that num_vectors to make sure we always read correct vector. Also I'd check num_vectors to be in range 0..256 on its init (line 804-805). Current patch is just a quick hack IMO. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
