Commit cf61aaac authored by Kostya Shishkov's avatar Kostya Shishkov

indeo: check for invalid motion vectors

parent 96037382
...@@ -212,6 +212,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) ...@@ -212,6 +212,7 @@ av_cold int ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
band->width = b_width; band->width = b_width;
band->height = b_height; band->height = b_height;
band->pitch = width_aligned; band->pitch = width_aligned;
band->aheight = height_aligned;
band->bufs[0] = av_mallocz(buf_size); band->bufs[0] = av_mallocz(buf_size);
band->bufs[1] = av_mallocz(buf_size); band->bufs[1] = av_mallocz(buf_size);
if (!band->bufs[0] || !band->bufs[1]) if (!band->bufs[0] || !band->bufs[1])
...@@ -381,6 +382,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) ...@@ -381,6 +382,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
mv_x >>= 1; mv_x >>= 1;
mv_y >>= 1; /* convert halfpel vectors into fullpel ones */ mv_y >>= 1; /* convert halfpel vectors into fullpel ones */
} }
if (mb->type) {
int dmv_x, dmv_y, cx, cy;
dmv_x = mb->mv_x >> band->is_halfpel;
dmv_y = mb->mv_y >> band->is_halfpel;
cx = mb->mv_x & band->is_halfpel;
cy = mb->mv_y & band->is_halfpel;
if ( mb->xpos + dmv_x < 0
|| mb->xpos + dmv_x + band->mb_size + cx > band->pitch
|| mb->ypos + dmv_y < 0
|| mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
return AVERROR_INVALIDDATA;
}
}
} }
for (blk = 0; blk < num_blocks; blk++) { for (blk = 0; blk < num_blocks; blk++) {
......
...@@ -135,6 +135,7 @@ typedef struct { ...@@ -135,6 +135,7 @@ typedef struct {
int band_num; ///< band number int band_num; ///< band number
int width; int width;
int height; int height;
int aheight; ///< aligned band height
const uint8_t *data_ptr; ///< ptr to the first byte of the band data const uint8_t *data_ptr; ///< ptr to the first byte of the band data
int data_size; ///< size of the band data int data_size; ///< size of the band data
int16_t *buf; ///< pointer to the output buffer for this band int16_t *buf; ///< pointer to the output buffer for this band
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment