From cf61aaaca16810b9b3a28395ed48fda8db0e87d9 Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Sat, 19 May 2012 16:07:42 +0200
Subject: [PATCH] indeo: check for invalid motion vectors
---
libavcodec/ivi_common.c | 16 ++++++++++++++++
libavcodec/ivi_common.h | 1 +
2 files changed, 17 insertions(+)
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 6979231b7dd..caa545c57fe 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -212,6 +212,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
band->width = b_width;
band->height = b_height;
band->pitch = width_aligned;
+ band->aheight = height_aligned;
band->bufs[0] = av_mallocz(buf_size);
band->bufs[1] = av_mallocz(buf_size);
if (!band->bufs[0] || !band->bufs[1])
@@ -381,6 +382,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
mv_x >>= 1;
mv_y >>= 1; /* convert halfpel vectors into fullpel ones */
}
+ if (mb->type) {
+ int dmv_x, dmv_y, cx, cy;
+
+ dmv_x = mb->mv_x >> band->is_halfpel;
+ dmv_y = mb->mv_y >> band->is_halfpel;
+ cx = mb->mv_x & band->is_halfpel;
+ cy = mb->mv_y & band->is_halfpel;
+
+ if ( mb->xpos + dmv_x < 0
+ || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+ || mb->ypos + dmv_y < 0
+ || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+ return AVERROR_INVALIDDATA;
+ }
+ }
}
for (blk = 0; blk < num_blocks; blk++) {
diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h
index 6842d748b36..8c37b94da5c 100644
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -135,6 +135,7 @@ typedef struct {
int band_num; ///< band number
int width;
int height;
+ int aheight; ///< aligned band height
const uint8_t *data_ptr; ///< ptr to the first byte of the band data
int data_size; ///< size of the band data
int16_t *buf; ///< pointer to the output buffer for this band
--
GitLab