While decoding p blocks the decoder can overread from a FourXContext
motion vector , if a corrupted or a modified bitstream is provided.
Fixes : Bug #110
---
libavcodec/4xm.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 21bde52..f7572a8 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -329,7 +329,7 @@ static void decode_p_block(FourXContext *f, uint16_t *dst,
uint16_t *src, int lo
if(code == 0){
src += f->mv[ *f->bytestream++ ];
- if(start > src || src > end){
+ if(start > src || src > end || *f->bytestream+1 >= 256){
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
return;
}
--
1.7.4.1
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
