indeo3: fix motion vector validation

The index of the motion vector has to be checked before being multiplied by 2 for the array index. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

indeo3: fix motion vector validation
The index of the motion vector has to be checked before being multiplied by 2 for the array index. Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
4b7fa553 · Hendrik Leppkes · Derek Buitenhuis · ff80c682 · 4b7fa553
Commit 4b7fa553 authored Apr 29, 2012 by Hendrik Leppkes Committed by Derek Buitenhuis May 02, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

indeo3.c libavcodec/indeo3.c +2 -2

No files found.
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -773,12 +773,12 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                /* get motion vector index and setup the pointer to the mv set */
                if (!ctx->need_resync)
                    ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3];
-                mv_idx = *(ctx->next_cell_data++) << 1;
+                mv_idx = *(ctx->next_cell_data++);
                if (mv_idx >= ctx->num_vectors) {
                    av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n");
                    return AVERROR_INVALIDDATA;
                }
-                curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx];
+                curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx << 1];
                curr_cell.tree   = 1; /* enter the VQ tree */
                UPDATE_BITPOS(8);
            } else { /* VQ tree DATA code */