vp8: change mv_{min,max}.{x,y} type to int
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Mon, 8 Jun 2015 20:38:29 +0000 (22:38 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Tue, 28 Jul 2015 00:33:56 +0000 (02:33 +0200)
commit27d50fb2d52bc1fb85d13b968f61a70ea8defc9e
tree536d3bd1682f41e10e43e153fdfca9cc13c9ca8c
parente4e3b14bba127bdce9521a78446b294f6bc8e43b
vp8: change mv_{min,max}.{x,y} type to int

If one of the dimensions is larger than 8176, s->mb_width or
s->mb_height is larger than 511, leading to an int16_t overflow of
s->mv_max.{x,y}. This then causes av_clip to be called with amin > amax.

Changing the type to int avoids the overflow and has no negative
effect, because s->mv_max is only used in clamp_mv for clipping.
Since mv_max.{x,y} is positive and mv_min.{x,y} negative, av_clip can't
increase the absolute value. The input to av_clip is an int16_t, and
thus the output fits into int16_t as well.

For additional safety, s->mv_{min,max}.{x,y} are clipped to int16_t range
before use.

Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 6fdbaa2b7fb56623ab2163f861952bc1408c39b3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/vp8.c
libavcodec/vp8.h