Browse code
avcodec/qpeg: fix off by 1 error in MV bounds check
Fixes out of array access
Fixes: asan_heap-oob_153760f_4_asan_heap-oob_1d7a4cf_164_VWbig6.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit dd3bfe3cc1ca26d0fff3a3baf61a40207032143f)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/10/04 04:08:52Showing 1 changed files
| ... | ... |
@@ -163,7 +163,7 @@ static void av_noinline qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, |
| 163 | 163 |
|
| 164 | 164 |
/* check motion vector */ |
| 165 | 165 |
if ((me_x + filled < 0) || (me_x + me_w + filled > width) || |
| 166 |
- (height - me_y - me_h < 0) || (height - me_y > orig_height) || |
|
| 166 |
+ (height - me_y - me_h < 0) || (height - me_y >= orig_height) || |
|
| 167 | 167 |
(filled + me_w > width) || (height - me_h < 0)) |
| 168 | 168 |
av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", |
| 169 | 169 |
me_x, me_y, me_w, me_h, filled, height); |