fix segfault with dracula.4xm

author Michael Niedermayer <michaelni@gmx.at>

Wed, 5 Sep 2007 01:14:17 +0000 (01:14 +0000)

committer Michael Niedermayer <michaelni@gmx.at>

Wed, 5 Sep 2007 01:14:17 +0000 (01:14 +0000)
author Michael Niedermayer <michaelni@gmx.at>
Wed, 5 Sep 2007 01:14:17 +0000 (01:14 +0000)
committer Michael Niedermayer <michaelni@gmx.at>
Wed, 5 Sep 2007 01:14:17 +0000 (01:14 +0000)
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c

index 83e1b92..79f754b 100644 (file)
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -301,11 +301,17 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
      const int index= size2index[log2h][log2w];
      const int h= 1<<log2h;
      int code= get_vlc2(&f->gb, block_type_vlc[1-f->version][index].table, BLOCK_TYPE_VLC_BITS, 1);
+    uint16_t *start= f->last_picture.data[0];
+    uint16_t *end= start + stride*(f->avctx->height-h+1) - (1<<log2w);
  
      assert(code>=0 && code<=6);
  
      if(code == 0){
          src += f->mv[ *f->bytestream++ ];
+        if(start > src || src > end){
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return;
+        }
          mcdc(dst, src, log2w, h, stride, 1, 0);
      }else if(code == 1){
          log2h--;
@@ -319,6 +325,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
          mcdc(dst, src, log2w, h, stride, 1, 0);
      }else if(code == 4){
          src += f->mv[ *f->bytestream++ ];
+        if(start > src || src > end){
+            av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
+            return;
+        }
          mcdc(dst, src, log2w, h, stride, 1, le2me_16(*f->wordstream++));
      }else if(code == 5){
          mcdc(dst, src, log2w, h, stride, 0, le2me_16(*f->wordstream++));
author	Michael Niedermayer <michaelni@gmx.at>
	Wed, 5 Sep 2007 01:14:17 +0000 (01:14 +0000)
committer	Michael Niedermayer <michaelni@gmx.at>
	Wed, 5 Sep 2007 01:14:17 +0000 (01:14 +0000)