4xm: do not overread the source buffer in decode_p_block

Check for out of picture macroblocks before calling mcdc.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index a70be14..2554ba9 100644 (file)
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -370,6 +370,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
                                   log2w, log2h, stride)) < 0)
             return ret;
     } else if (code == 3 && f->version < 2) {
+        if (start > src || src > end) {
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return AVERROR_INVALIDDATA;
+        }
         mcdc(dst, src, log2w, h, stride, 1, 0);
     } else if (code == 4) {
         src += f->mv[bytestream2_get_byte(&f->g)];
@@ -379,6 +383,10 @@ static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
         }
         mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2));
     } else if (code == 5) {
+        if (start > src || src > end) {
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return AVERROR_INVALIDDATA;
+        }
         mcdc(dst, src, log2w, h, stride, 0, bytestream2_get_le16(&f->g2));
     } else if (code == 6) {
         if (log2w) {