From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 8 Mar 2015 00:27:56 +0000 (+0100)
Subject: avcodec/mpegvideo_motion: Fix off by 1 error in MV bounds checking
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u8+rpi1^2~4
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=a9d26409fd1973a4a2daba587a64c440830e041e;p=libav.git

avcodec/mpegvideo_motion: Fix off by 1 error in MV bounds checking

Fixes Ticket4299

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Gbp-Pq: Name CVE-2017-9987-1.patch
---

diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c
index 089cbb2..0e39325 100644
--- a/libavcodec/mpegvideo_motion.c
+++ b/libavcodec/mpegvideo_motion.c
@@ -209,8 +209,8 @@ static inline int hpel_motion(MpegEncContext *s,
         dxy |= (motion_y & 1) << 1;
     src += src_y * s->linesize + src_x;
 
-    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) ||
-        (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) {
+    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 7, 0) ||
+        (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 7, 0)) {
         s->vdsp.emulated_edge_mc(s->edge_emu_buffer, src,
                                  s->linesize, s->linesize,
                                  9, 9, src_x, src_y,
@@ -304,8 +304,8 @@ void mpeg_motion_internal(MpegEncContext *s,
     ptr_cb = ref_picture[1] + uvsrc_y * uvlinesize + uvsrc_x;
     ptr_cr = ref_picture[2] + uvsrc_y * uvlinesize + uvsrc_x;
 
-    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 16, 0) ||
-        (unsigned)src_y > FFMAX(v_edge_pos - (motion_y & 1) - h, 0)) {
+    if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 15, 0) ||
+        (unsigned)src_y > FFMAX(v_edge_pos - (motion_y & 1) - h + 1, 0)) {
         if (is_mpeg12 ||
             s->codec_id == AV_CODEC_ID_MPEG2VIDEO ||
             s->codec_id == AV_CODEC_ID_MPEG1VIDEO) {