[libav-commits] indeo: check for invalid motion vectors

Kostya Shishkov git at libav.org
Sun Oct 14 22:20:52 CEST 2012


Module: libav
Branch: release/0.8
Commit: c5ec1908597824e93bbe20137ac9662f84f3cb07

Author:    Kostya Shishkov <kostya.shishkov at gmail.com>
Committer: Reinhard Tartler <siretart at tauware.de>
Date:      Sat May 19 16:07:42 2012 +0200

indeo: check for invalid motion vectors

(cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

---

 libavcodec/ivi_common.c |   16 ++++++++++++++++
 libavcodec/ivi_common.h |    1 +
 2 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index b8286cd..41e66b1 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -212,6 +212,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg)
             band->width    = b_width;
             band->height   = b_height;
             band->pitch    = width_aligned;
+            band->aheight  = height_aligned;
             band->bufs[0]  = av_mallocz(buf_size);
             band->bufs[1]  = av_mallocz(buf_size);
             if (!band->bufs[0] || !band->bufs[1])
@@ -383,6 +384,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile)
                 mv_x >>= 1;
                 mv_y >>= 1; /* convert halfpel vectors into fullpel ones */
             }
+            if (mb->type) {
+                int dmv_x, dmv_y, cx, cy;
+
+                dmv_x = mb->mv_x >> band->is_halfpel;
+                dmv_y = mb->mv_y >> band->is_halfpel;
+                cx    = mb->mv_x &  band->is_halfpel;
+                cy    = mb->mv_y &  band->is_halfpel;
+
+                if (   mb->xpos + dmv_x < 0
+                    || mb->xpos + dmv_x + band->mb_size + cx > band->pitch
+                    || mb->ypos + dmv_y < 0
+                    || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) {
+                    return AVERROR_INVALIDDATA;
+                }
+            }
         }
 
         for (blk = 0; blk < num_blocks; blk++) {
diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h
index 6842d74..8c37b94 100644
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -135,6 +135,7 @@ typedef struct {
     int             band_num;       ///< band number
     int             width;
     int             height;
+    int             aheight;        ///< aligned band height
     const uint8_t   *data_ptr;      ///< ptr to the first byte of the band data
     int             data_size;      ///< size of the band data
     int16_t         *buf;           ///< pointer to the output buffer for this band



More information about the libav-commits mailing list