From bc04dc19ee964b0ff668c6982aafcb26b363b6e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 8 Mar 2015 01:27:56 +0100 Subject: [PATCH] avcodec/mpegvideo_motion: Fix off by 1 error in MV bounds checking Fixes Ticket4299 Signed-off-by: Michael Niedermayer Gbp-Pq: Name CVE-2017-9987-1.patch --- libavcodec/mpegvideo_motion.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index 089cbb2..0e39325 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -209,8 +209,8 @@ static inline int hpel_motion(MpegEncContext *s, dxy |= (motion_y & 1) << 1; src += src_y * s->linesize + src_x; - if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 8, 0) || - (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 8, 0)) { + if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 7, 0) || + (unsigned)src_y > FFMAX(s->v_edge_pos - (motion_y & 1) - 7, 0)) { s->vdsp.emulated_edge_mc(s->edge_emu_buffer, src, s->linesize, s->linesize, 9, 9, src_x, src_y, @@ -304,8 +304,8 @@ void mpeg_motion_internal(MpegEncContext *s, ptr_cb = ref_picture[1] + uvsrc_y * uvlinesize + uvsrc_x; ptr_cr = ref_picture[2] + uvsrc_y * uvlinesize + uvsrc_x; - if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 16, 0) || - (unsigned)src_y > FFMAX(v_edge_pos - (motion_y & 1) - h, 0)) { + if ((unsigned)src_x > FFMAX(s->h_edge_pos - (motion_x & 1) - 15, 0) || + (unsigned)src_y > FFMAX(v_edge_pos - (motion_y & 1) - h + 1, 0)) { if (is_mpeg12 || s->codec_id == AV_CODEC_ID_MPEG2VIDEO || s->codec_id == AV_CODEC_ID_MPEG1VIDEO) { -- 2.30.2