Module: libav Branch: release/11 Commit: 7252b220d85c1427e21a1256150d7e8584d8a4ae
Author: Anton Khirnov <an...@khirnov.net> Committer: Anton Khirnov <an...@khirnov.net> Date: Sun Aug 14 10:18:39 2016 +0200 qpeg: fix an off by 1 error in the MV check height - me_y is the line from which we read, so it must be strictly smaller than the frame height. Fixes possible invalid reads in corrupted files. Also, use a proper context for logging the error. CC: libav-sta...@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit bba9d8bdfb208b0ec2ccf182530347151ee3528b) Signed-off-by: Anton Khirnov <an...@khirnov.net> --- libavcodec/qpeg.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 4de1655..efa9598 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -161,9 +161,9 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) - av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", + av_log(qctx->avctx, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); else { /* do motion compensation */ _______________________________________________ libav-commits mailing list libav-commits@libav.org https://lists.libav.org/mailman/listinfo/libav-commits