| Message ID | 20171113204715.25185-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 58cf31cee7a456057f337b3102a03206d833d5e8 |
| Headers | show |
On Mon, Nov 13, 2017 at 09:47:15PM +0100, Michael Niedermayer wrote: > Fixes: out of array read > Fixes: 3516/attachment-311488.dat > > Found-by: Insu Yun, Georgia Tech. > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> Tested-by: wuninsu@gmail.com will apply [...]
diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c index e0498f3849..6009b64e07 100644 --- a/libavcodec/x86/mpegvideodsp.c +++ b/libavcodec/x86/mpegvideodsp.c @@ -52,8 +52,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src, const int dyh = (dyy - (1 << (16 + shift))) * (h - 1); const int dxh = dxy * (h - 1); const int dyw = dyx * (w - 1); - int need_emu = (unsigned) ix >= width - w || - (unsigned) iy >= height - h; + int need_emu = (unsigned) ix >= width - w || width < w || + (unsigned) iy >= height - h || height< h + ; if ( // non-constant fullpel offset (3% of blocks) ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) |
Fixes: out of array read Fixes: 3516/attachment-311488.dat Found-by: Insu Yun, Georgia Tech. Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/x86/mpegvideodsp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)