Fix out of bounds read.

(Apply security patch for CVE-2016-7424)

 - Referenced

 The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in libav 11.7 and earlier allows remote
 attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted MP3 file
 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7424

 - Solution

 https://git.libav.org/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee
 Fix out of bounds read.

Change-Id: I20a5beb71b95b0286f89a66441d07fce7d21de9a
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>

diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c
index f33db34..a3cba98 100644 (file)
--- a/libavcodec/mpegvideo_motion.c
+++ b/libavcodec/mpegvideo_motion.c
@@ -209,17 +209,14 @@ static inline int hpel_motion(MpegEncContext *s,
         dxy |= (motion_y & 1) << 1;
     src += src_y * s->linesize + src_x;
 
-    if (s->unrestricted_mv) {
-        if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) ||
-            (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) {
-            s->vdsp.emulated_edge_mc(s->edge_emu_buffer, src,
-                                     s->linesize, s->linesize,
-                                     9, 9,
-                                     src_x, src_y, s->h_edge_pos,
-                                     s->v_edge_pos);
-            src = s->edge_emu_buffer;
-            emu = 1;
-        }
+    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) ||
+        (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) {
+        s->vdsp.emulated_edge_mc(s->edge_emu_buffer, src,
+                                 s->linesize, s->linesize,
+                                 9, 9, src_x, src_y,
+                                 s->h_edge_pos, s->v_edge_pos);
+        src = s->edge_emu_buffer;
+        emu = 1;
     }
     pix_op[dxy](dest, src, s->linesize, 8);
     return emu;