diff options
| author | Anton Khirnov <anton@khirnov.net> | 2016-08-14 10:18:39 +0200 |
|---|---|---|
| committer | Anton Khirnov <anton@khirnov.net> | 2016-08-18 17:06:46 +0200 |
| commit | bba9d8bdfb208b0ec2ccf182530347151ee3528b (patch) | |
| tree | 6f3e9f60b791ab1dceb10b74fe966a6f03b7523b /libavcodec/qpeg.c | |
| parent | 796dca027be09334d7bbf4f2ac1200e06bb054cb (diff) | |
| download | ffmpeg-bba9d8bdfb208b0ec2ccf182530347151ee3528b.tar.gz | |
qpeg: fix an off by 1 error in the MV check
height - me_y is the line from which we read, so it must be strictly
smaller than the frame height. Fixes possible invalid reads in corrupted
files.
Also, use a proper context for logging the error.
CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Diffstat (limited to 'libavcodec/qpeg.c')
| -rw-r--r-- | libavcodec/qpeg.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index f549cd59fc..3a2e56c0fb 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -161,9 +161,9 @@ static void qpeg_decode_inter(QpegContext *qctx, uint8_t *dst, /* check motion vector */ if ((me_x + filled < 0) || (me_x + me_w + filled > width) || - (height - me_y - me_h < 0) || (height - me_y > orig_height) || + (height - me_y - me_h < 0) || (height - me_y >= orig_height) || (filled + me_w > width) || (height - me_h < 0)) - av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", + av_log(qctx->avctx, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n", me_x, me_y, me_w, me_h, filled, height); else { /* do motion compensation */ |