From c5ec1908597824e93bbe20137ac9662f84f3cb07 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 16:07:42 +0200 Subject: [PATCH] indeo: check for invalid motion vectors (cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 16 ++++++++++++++++ libavcodec/ivi_common.h | 1 + 2 files changed, 17 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index b8286cd31c..41e66b1bfb 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,6 +212,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; + band->aheight = height_aligned; band->bufs[0] = av_mallocz(buf_size); band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) @@ -383,6 +384,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) mv_x >>= 1; mv_y >>= 1; /* convert halfpel vectors into fullpel ones */ } + if (mb->type) { + int dmv_x, dmv_y, cx, cy; + + dmv_x = mb->mv_x >> band->is_halfpel; + dmv_y = mb->mv_y >> band->is_halfpel; + cx = mb->mv_x & band->is_halfpel; + cy = mb->mv_y & band->is_halfpel; + + if ( mb->xpos + dmv_x < 0 + || mb->xpos + dmv_x + band->mb_size + cx > band->pitch + || mb->ypos + dmv_y < 0 + || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { + return AVERROR_INVALIDDATA; + } + } } for (blk = 0; blk < num_blocks; blk++) { diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index 6842d748b3..8c37b94da5 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -135,6 +135,7 @@ typedef struct { int band_num; ///< band number int width; int height; + int aheight; ///< aligned band height const uint8_t *data_ptr; ///< ptr to the first byte of the band data int data_size; ///< size of the band data int16_t *buf; ///< pointer to the output buffer for this band