From 5c2ad0bd61c6f224a1e5c8ad026f7df961107708 Mon Sep 17 00:00:00 2001 From: Jiyong Min Date: Mon, 28 Nov 2016 14:19:02 +0900 Subject: [PATCH] Fix out of bounds read. (Apply security patch for CVE-2016-7424) - Referenced The put_no_rnd_pixels8_xy2_mmx function in x86/rnd_template.c in libav 11.7 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted MP3 file https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7424 - Solution https://git.libav.org/?p=libav.git;a=commit;h=136f55207521f0b03194ef5b55ba70f1635d6aee Fix out of bounds read. Change-Id: I20a5beb71b95b0286f89a66441d07fce7d21de9a Signed-off-by: Jiyong Min --- libavcodec/mpegvideo_motion.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index f33db34..a3cba98 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -209,17 +209,14 @@ static inline int hpel_motion(MpegEncContext *s, dxy |= (motion_y & 1) << 1; src += src_y * s->linesize + src_x; - if (s->unrestricted_mv) { - if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) || - (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) { - s->vdsp.emulated_edge_mc(s->edge_emu_buffer, src, - s->linesize, s->linesize, - 9, 9, - src_x, src_y, s->h_edge_pos, - s->v_edge_pos); - src = s->edge_emu_buffer; - emu = 1; - } + if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) || + (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) { + s->vdsp.emulated_edge_mc(s->edge_emu_buffer, src, + s->linesize, s->linesize, + 9, 9, src_x, src_y, + s->h_edge_pos, s->v_edge_pos); + src = s->edge_emu_buffer; + emu = 1; } pix_op[dxy](dest, src, s->linesize, 8); return emu; -- 2.7.4