ivi_common: more MV Checks, fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

ivi_common: more MV Checks, fixes out of array reads
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
a93c7ca6 · Michael Niedermayer · c63e76ba · a93c7ca6
Commit a93c7ca6 authored Nov 09, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

ivi_common.c libavcodec/ivi_common.c +16 -0

No files found.
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -560,6 +560,22 @@ static int ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band,
                    mb->mv_y = ref_mb->mv_y;
                }
                need_mc |= mb->mv_x || mb->mv_y; /* tracking non-zero motion vectors */
+                {
+                    int dmv_x, dmv_y, cx, cy;
+
+                    dmv_x = mb->mv_x >> band->is_halfpel;
+                    dmv_y = mb->mv_y >> band->is_halfpel;
+                    cx    = mb->mv_x &  band->is_halfpel;
+                    cy    = mb->mv_y &  band->is_halfpel;
+
+                    if (   mb->xpos + dmv_x < 0
+                        || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+                        || mb->ypos + dmv_y < 0
+                        || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                        av_log(avctx, AV_LOG_ERROR, "MV out of bounds\n");
+                        return AVERROR_INVALIDDATA;
+                    }
+                }
            }

            mb++;