avcodec/mpegvideo_motion: Fix off by 1 error in MV bounds checking

Fixes Ticket4299

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2017-9987-1.patch

diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c
index 089cbb2357ef9b62ff591799483e51688d6b4253..0e393255a43ec91c1f172f40183542421792f6fe 100644 (file)
--- a/libavcodec/mpegvideo_motion.c
+++ b/libavcodec/mpegvideo_motion.c
@@ -209,8 +209,8 @@ static inline int hpel_motion(MpegEncContext *s,
         dxy |= (motion_y & 1) << 1;
     src += src_y * s->linesize + src_x;
 
-    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) ||
-        (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) {
+    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 7, 0) ||
+        (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 7, 0)) {
         s->vdsp.emulated_edge_mc(s->edge_emu_buffer, src,
                                  s->linesize, s->linesize,
                                  9, 9, src_x, src_y,
@@ -304,8 +304,8 @@ void mpeg_motion_internal(MpegEncContext *s,
     ptr_cb = ref_picture[1] + uvsrc_y * uvlinesize + uvsrc_x;
     ptr_cr = ref_picture[2] + uvsrc_y * uvlinesize + uvsrc_x;
 
-    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 16, 0) ||
-        (unsigned)src_y > FFMAX(v_edge_pos - (motion_y & 1) - h, 0)) {
+    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 15, 0) ||
+        (unsigned)src_y > FFMAX(v_edge_pos - (motion_y & 1) - h + 1, 0)) {
         if (is_mpeg12 ||
             s->codec_id == AV_CODEC_ID_MPEG2VIDEO ||
             s->codec_id == AV_CODEC_ID_MPEG1VIDEO) {