xenia-project/FFmpeg
1
0
Fork 0
mirror of https://github.com/xenia-project/FFmpeg.git synced 2025-02-10 06:14:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

qpeg: fix an off by 1 error in the MV check

Browse Source 
height - me_y is the line from which we read, so it must be strictly
smaller than the frame height. Fixes possible invalid reads in corrupted
files.

Also, use a proper context for logging the error.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
This commit is contained in:
Anton Khirnov 2016-08-14 10:18:39 +02:00
parent 796dca027b
commit bba9d8bdfb
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/qpeg.c
View File

@ -161,9 +161,9 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst,
/* check motion vector */
if ((me_x + filled < 0) || (me_x + me_w + filled > width) ||
(height - me_y - me_h < 0) || (height - me_y > orig_height) ||
(height - me_y - me_h < 0) || (height - me_y >= orig_height) ||
(filled + me_w > width) || (height - me_h < 0))
av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n",
av_log(qctx->avctx, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n",
me_x, me_y, me_w, me_h, filled, height);
else {
/* do motion compensation */