From cf61aaaca16810b9b3a28395ed48fda8db0e87d9 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 16:07:42 +0200 Subject: [PATCH] indeo: check for invalid motion vectors --- libavcodec/ivi_common.c | 16 ++++++++++++++++ libavcodec/ivi_common.h | 1 + 2 files changed, 17 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 6979231b7d..caa545c57f 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,6 +212,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; + band->aheight = height_aligned; band->bufs[0] = av_mallocz(buf_size); band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) @@ -381,6 +382,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) mv_x >>= 1; mv_y >>= 1; /* convert halfpel vectors into fullpel ones */ } + if (mb->type) { + int dmv_x, dmv_y, cx, cy; + + dmv_x = mb->mv_x >> band->is_halfpel; + dmv_y = mb->mv_y >> band->is_halfpel; + cx = mb->mv_x & band->is_halfpel; + cy = mb->mv_y & band->is_halfpel; + + if ( mb->xpos + dmv_x < 0 + || mb->xpos + dmv_x + band->mb_size + cx > band->pitch + || mb->ypos + dmv_y < 0 + || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { + return AVERROR_INVALIDDATA; + } + } } for (blk = 0; blk < num_blocks; blk++) { diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index 6842d748b3..8c37b94da5 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -135,6 +135,7 @@ typedef struct { int band_num; ///< band number int width; int height; + int aheight; ///< aligned band height const uint8_t *data_ptr; ///< ptr to the first byte of the band data int data_size; ///< size of the band data int16_t *buf; ///< pointer to the output buffer for this band