On Fri, Nov 17, 2017 at 04:20:55PM +0000, Derek Buitenhuis wrote:
> mb_area_start has 5 entries, and 'a' is iterated through from 0 to 3.
> 'a2' is set to 'a + 1', and mb_area_start[a2 + 1] is accessed, so if
> a is 3, then we try to access mb_area_start[5].
>
> Signed-off-by: Derek Buitenhuis <derek.buitenh...@gmail.com>
> ---
> I'm not 100% sure if this fix is /correct/, so hopefully someone
> knows the DV code...
> ---
> libavcodec/dvenc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavcodec/dvenc.c b/libavcodec/dvenc.c
> index ce2fc75daa..b79cbebb04 100644
> --- a/libavcodec/dvenc.c
> +++ b/libavcodec/dvenc.c
> @@ -383,7 +383,7 @@ static inline void dv_guess_qnos(EncBlockInfo *blks, int
> *qnos)
> prev = k;
> } else {
> if (b->next[k] >= mb_area_start[a + 1] &&
> b->next[k] < 64) {
> - for (a2 = a + 1; b->next[k] >=
> mb_area_start[a2 + 1]; a2++)
> + for (a2 = a + 1; a2 < 4 && b->next[k] >=
> mb_area_start[a2 + 1]; a2++)
> b->prev[a2] = prev;
> av_assert2(a2 < 4);hmm, i cant really remember this clearly but from looking at the code it looks like this is the logic: b->next[k] < 64 b->next[k] >= mb_area_start[a + 1] implies mb_area_start[a + 1] < 64 which implies a < 3 and a2 < 4 on the first iteration so the first is still in the array subsequently, b->next[k] >= mb_area_start[a2 + 1] exists before the end as b->next[k] < 64 and the last entry being 64 [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The real ebay dictionary, page 1 "Used only once" - "Some unspecified defect prevented a second use" "In good condition" - "Can be repaird by experienced expert" "As is" - "You wouldnt want it even if you were payed for it, if you knew ..."
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
