Browse code
4xm: do not overread the source buffer in decode_p_block
Check for out of picture macroblocks before calling mcdc.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 94aefb1932be882fd93f66cf790ceb19ff575c19)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/4xm.c
Luca Barbato authored on 2013/06/10 01:27:05Showing 1 changed files
| ... | ... |
@@ -343,6 +343,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo |
| 343 | 343 |
decode_p_block(f, dst , src , log2w, log2h, stride); |
| 344 | 344 |
decode_p_block(f, dst + (1<<log2w), src + (1<<log2w), log2w, log2h, stride); |
| 345 | 345 |
}else if(code == 3 && f->version<2){
|
| 346 |
+ if (start > src || src > end) {
|
|
| 347 |
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); |
|
| 348 |
+ return; |
|
| 349 |
+ } |
|
| 346 | 350 |
mcdc(dst, src, log2w, h, stride, 1, 0); |
| 347 | 351 |
}else if(code == 4){
|
| 348 | 352 |
src += f->mv[bytestream2_get_byte(&f->g)]; |
| ... | ... |
@@ -352,6 +356,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo |
| 352 | 352 |
} |
| 353 | 353 |
mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); |
| 354 | 354 |
}else if(code == 5){
|
| 355 |
+ if (start > src || src > end) {
|
|
| 356 |
+ av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); |
|
| 357 |
+ return; |
|
| 358 |
+ } |
|
| 355 | 359 |
mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2)); |
| 356 | 360 |
}else if(code == 6){
|
| 357 | 361 |
if(log2w){
|