dxa: check vectors of 4x4 motion blocks
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 7 May 2013 18:18:41 +0000 (20:18 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 7 May 2013 18:20:14 +0000 (20:20 +0200)
Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/dxa.c

index 2286f33..b2f9b81 100644 (file)
@@ -71,6 +71,11 @@ static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst,
             case 4: // motion compensation
                 x = (*mv) >> 4;    if(x & 8) x = 8 - x;
                 y = (*mv++) & 0xF; if(y & 8) y = 8 - y;
+                if (i < -x || avctx->width  - i - 4 < x ||
+                    j < -y || avctx->height - j - 4 < y) {
+                    av_log(avctx, AV_LOG_ERROR, "MV %d %d out of bounds\n", x,y);
+                    return AVERROR_INVALIDDATA;
+                }
                 tmp2 += x + y*stride;
             case 0: // skip
             case 5: // skip in method 12