[CVE-2017-17130] avcodec/vc1dec: fix mby_start for interlaced content

Bug-Id: 1100
Bug-Id: ffmpeg/Ticket2531
Cc: libav-stable@libav.org
(cherry picked from commit 5b6213ef6bf5e0781c83e86926eb0b33a98dc185)
Signed-off-by: Sean McGovern <gseanmcg@gmail.com>
Change-Id: I99bd5ad59140168dd90bc41545432660e3b8537c

diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 1955cea..0f53ff8 100644 (file)
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -651,7 +651,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
                                   buf_size3 << 3);
                     /* assuming that the field marker is at the exact middle,
                        hope it's correct */
-                    slices[n_slices].mby_start = s->mb_height >> 1;
+                    slices[n_slices].mby_start = s->mb_height + 1 >> 1;
                     n_slices1 = n_slices - 1; // index of the last slice of the first field
                     n_slices++;
                     break;
@@ -699,7 +699,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
                 buf_size3 = vc1_unescape_buffer(divider + 4, buf + buf_size - divider - 4, slices[n_slices].buf);
                 init_get_bits(&slices[n_slices].gb, slices[n_slices].buf,
                               buf_size3 << 3);
-                slices[n_slices].mby_start = s->mb_height >> 1;
+                slices[n_slices].mby_start = s->mb_height + 1 >> 1;
                 n_slices1 = n_slices - 1;
                 n_slices++;
             }