out of buffer access fix

Originally committed as revision 3744 to svn://svn.ffmpeg.org/ffmpeg/trunk

out of buffer access fix
Originally committed as revision 3744 to svn://svn.ffmpeg.org/ffmpeg/trunk
a9799653 · Michael Niedermayer · 0fd6aea1 · a9799653
Commit a9799653 authored Dec 09, 2004 by Michael Niedermayer
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 9 deletions

h264.c libavcodec/h264.c +14 -9

No files found.
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2401,18 +2401,23 @@ static void hl_decode_mb(H264Context *h){
            if(!s->encoding){
                for(i=0; i<16; i++){
                    uint8_t * const ptr= dest_y + h->block_offset[i];
-                    uint8_t *topright= ptr + 4 - linesize;
+                    uint8_t *topright;
-                    const int topright_avail= (h->topright_samples_available<<i)&0x8000;
                    const int dir= h->intra4x4_pred_mode_cache[ scan8[i] ];
                    int tr;
+                    if(dir == DIAG_DOWN_LEFT_PRED || dir == VERT_LEFT_PRED){
+                        const int topright_avail= (h->topright_samples_available<<i)&0x8000;
+                        assert(mb_y || linesize <= h->block_offset[i]);
                        if(!topright_avail){
                            tr= ptr[3 - linesize]*0x01010101;
                            topright= (uint8_t*) &tr;
                        }else if(i==5 && h->deblocking_filter){
                            tr= *(uint32_t*)h->top_border[mb_x+1];
                            topright= (uint8_t*) &tr;
-                    }
+                        }else
+                            topright= ptr + 4 - linesize;
+                    }else
+                        topright= NULL;
                    h->pred4x4[ dir ](ptr, topright, linesize);
                    if(h->non_zero_count_cache[ scan8[i] ]){