Commit 09302a89 authored by Laurent Aimar's avatar Laurent Aimar Committed by Michael Niedermayer

eatgv: fix out of bound reads on corrupted motions vectors.

Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 74b9c598
...@@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst ...@@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
* @return 0 on success, -1 on critical buffer underflow * @return 0 on success, -1 on critical buffer underflow
*/ */
static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->width*s->last_frame.linesize[0]; unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0];
int num_mvs; int num_mvs;
int num_blocks_raw; int num_blocks_raw;
int num_blocks_packed; int num_blocks_packed;
...@@ -211,7 +211,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b ...@@ -211,7 +211,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
(y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
x*4 + s->mv_codebook[vector][0]; x*4 + s->mv_codebook[vector][0];
src_stride = s->last_frame.linesize[0]; src_stride = s->last_frame.linesize[0];
if (src+3*src_stride+3>=frame0_end) if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end)
continue; continue;
}else{ }else{
int offset = vector - num_mvs; int offset = vector - num_mvs;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment