[libav-devel] [PATCH] mpegvideo_motion: Handle edge emulation even without unrestricted_mv

Vittorio Giovara vittorio.giovara at gmail.com
Mon Sep 12 16:33:11 CEST 2016


From: Michael Niedermayer <michaelni at gmx.at>

Fix out of bounds read.
Found by: F4B3CD at STARLAB.

Signed-off-by: Vittorio Giovara <vittorio.giovara at gmail.com>
---
 libavcodec/mpegvideo_motion.c | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c
index 8074dba..f6d9613 100644
--- a/libavcodec/mpegvideo_motion.c
+++ b/libavcodec/mpegvideo_motion.c
@@ -210,17 +210,14 @@ static inline int hpel_motion(MpegEncContext *s,
         dxy |= (motion_y & 1) << 1;
     src += src_y * s->linesize + src_x;
 
-    if (s->unrestricted_mv) {
-        if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) ||
-            (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) {
-            s->vdsp.emulated_edge_mc(s->sc.edge_emu_buffer, src,
-                                     s->linesize, s->linesize,
-                                     9, 9,
-                                     src_x, src_y, s->h_edge_pos,
-                                     s->v_edge_pos);
-            src = s->sc.edge_emu_buffer;
-            emu = 1;
-        }
+    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) ||
+        (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) {
+        s->vdsp.emulated_edge_mc(s->sc.edge_emu_buffer, src,
+                                 s->linesize, s->linesize,
+                                 9, 9, src_x, src_y,
+                                 s->h_edge_pos, s->v_edge_pos);
+        src = s->sc.edge_emu_buffer;
+        emu = 1;
     }
     pix_op[dxy](dest, src, s->linesize, 8);
     return emu;
-- 
2.9.3



More information about the libav-devel mailing list