Browse code
avcodec/vc1_pred: Fix refdist in scaleforopp()
Fixes: out of array access
Fixes: 16601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5656105392275456
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 413e0f2516eef678011cffd1ec6f0d92aa8bb96a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2019/09/01 05:12:38Showing 1 changed files
| ... | ... |
@@ -197,9 +197,10 @@ static av_always_inline int scaleforopp(VC1Context *v, int n /* MV */, |
| 197 | 197 |
return n; |
| 198 | 198 |
} |
| 199 | 199 |
if (v->s.pict_type != AV_PICTURE_TYPE_B) |
| 200 |
- refdist = FFMIN(v->refdist, 3); |
|
| 200 |
+ refdist = v->refdist; |
|
| 201 | 201 |
else |
| 202 | 202 |
refdist = dir ? v->brfd : v->frfd; |
| 203 |
+ refdist = FFMIN(refdist, 3); |
|
| 203 | 204 |
scaleopp = ff_vc1_field_mvpred_scales[dir ^ v->second_field][0][refdist]; |
| 204 | 205 |
|
| 205 | 206 |
n = (n * scaleopp >> 8) * (1 << hpel); |