Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

sanm: Check MV before using them.

Browse Source 
Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
pull/9/head
Michael Niedermayer 12 years ago
parent 1d81f7448c
commit dc8dd2f6e9
1 changed files with 11 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      libavcodec/sanm.c

11
libavcodec/sanm.c
Unescape View File

@ -29,6 +29,7 @@
#include "libavutil/imgutils.h" #include "libavutil/imgutils.h"
#include "libavcodec/dsputil.h" #include "libavcodec/dsputil.h"
#include "sanm_data.h" #include "sanm_data.h"
#include "libavutil/avassert.h"
#define NGLYPHS 256 #define NGLYPHS 256
@ -613,6 +614,16 @@ static int process_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *prev1,
} else { } else {
int mx = motion_vectors[code][0]; int mx = motion_vectors[code][0];
int my = motion_vectors[code][1]; int my = motion_vectors[code][1];
int index = prev2 - (const uint8_t*)ctx->frm2;
av_assert2(index >= 0 && index < (ctx->buf_size>>1));
if (index < - mx - my*stride ||
(ctx->buf_size>>1) - index < mx + size + (my + size - 1)*stride) {
av_log(ctx->avctx, AV_LOG_ERROR, "MV is invalid \n");
return AVERROR_INVALIDDATA;
}
for (k = 0; k < size; k++) for (k = 0; k < size; k++)
memcpy(dst + k * stride, prev2 + mx + (my + k) * stride, size); memcpy(dst + k * stride, prev2 + mx + (my + k) * stride, size);
} }

Write Preview
Loading…
Cancel
Save