Browse code
bink: fix out of reference frame read
Fixes Ticket1374
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b3675f890abee0bc446495711223a5c790234672)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2012/06/03 02:56:10Showing 1 changed files
| ... | ... |
@@ -1128,6 +1128,11 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx, |
| 1128 | 1128 |
xoff = get_value(c, BINK_SRC_X_OFF); |
| 1129 | 1129 |
yoff = get_value(c, BINK_SRC_Y_OFF); |
| 1130 | 1130 |
ref = prev + xoff + yoff * stride; |
| 1131 |
+ if (ref < ref_start || ref > ref_end) {
|
|
| 1132 |
+ av_log(c->avctx, AV_LOG_ERROR, "Copy out of bounds @%d, %d\n", |
|
| 1133 |
+ bx*8 + xoff, by*8 + yoff); |
|
| 1134 |
+ return -1; |
|
| 1135 |
+ } |
|
| 1131 | 1136 |
c->dsp.put_pixels_tab[1][0](dst, ref, stride, 8); |
| 1132 | 1137 |
memset(dctblock, 0, sizeof(*dctblock) * 64); |
| 1133 | 1138 |
dctblock[0] = get_value(c, BINK_SRC_INTER_DC); |