indeo: check for invalid motion vectors

libavcodec/ivi_common.c

@@ -212,6 +212,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
             band->width    = b_width;
             band->height   = b_height;
             band->pitch    = width_aligned;
+            band->aheight  = height_aligned;
             band->bufs[0]  = av_mallocz(buf_size);
             band->bufs[1]  = av_mallocz(buf_size);
             if (!band->bufs[0] || !band->bufs[1])
@@ -381,6 +382,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
                 mv_x >>= 1;
                 mv_y >>= 1; /* convert halfpel vectors into fullpel ones */
             }
+            if (mb->type) {
+                int dmv_x, dmv_y, cx, cy;
+
+                dmv_x = mb->mv_x >> band->is_halfpel;
+                dmv_y = mb->mv_y >> band->is_halfpel;
+                cx    = mb->mv_x &  band->is_halfpel;
+                cy    = mb->mv_y &  band->is_halfpel;
+
+                if (   mb->xpos + dmv_x < 0
+                    || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+                    || mb->ypos + dmv_y < 0
+                    || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                    return AVERROR_INVALIDDATA;
+                }
+            }
         }
 
         for (blk = 0; blk < num_blocks; blk++) {

libavcodec/ivi_common.h

@@ -135,6 +135,7 @@ typedef struct {
     int             band_num;       ///< band number
     int             width;
     int             height;
+    int             aheight;        ///< aligned band height
     const uint8_t   *data_ptr;      ///< ptr to the first byte of the band data
     int             data_size;      ///< size of the band data
     int16_t         *buf;           ///< pointer to the output buffer for this band