mpegvideo: Fix undefined negative shifts in ff_init_block_index
authorLuca Barbato <lu_zero@gentoo.org>
Wed, 2 Mar 2016 23:52:23 +0000 (18:52 -0500)
committerDiego Biurrun <diego@biurrun.de>
Thu, 12 Jan 2017 14:23:52 +0000 (15:23 +0100)
Bug-Id: 980
Bug-Id: CVE-2016-9819
Found-by: gcc5-ubsan.
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 7d4a1ff344cbf969ac648642a0fd8484fd5b8637)
Signed-off-by: Sean McGovern <gseanmcg@gmail.com>
(cherry picked from commit f106f74206e69e9056130da8bddffc39f3878ac3)
Signed-off-by: Diego Biurrun <diego@biurrun.de>
libavcodec/mpegvideo.c

index b867be2..c9bbc0b 100644 (file)
@@ -2618,9 +2618,9 @@ void ff_init_block_index(MpegEncContext *s){ //FIXME maybe rename
     s->block_index[5]= s->mb_stride*(s->mb_y + s->mb_height + 2) + s->b8_stride*s->mb_height*2 + s->mb_x - 1;
     //block_index is not used by mpeg2, so it is not affected by chroma_format
 
-    s->dest[0] = s->current_picture.f.data[0] + ((s->mb_x - 1) <<  mb_size);
-    s->dest[1] = s->current_picture.f.data[1] + ((s->mb_x - 1) << (mb_size - s->chroma_x_shift));
-    s->dest[2] = s->current_picture.f.data[2] + ((s->mb_x - 1) << (mb_size - s->chroma_x_shift));
+    s->dest[0] = s->current_picture.f.data[0] + (s->mb_x - 1) * (1 << mb_size);
+    s->dest[1] = s->current_picture.f.data[1] + (s->mb_x - 1) * (1 << (mb_size - s->chroma_x_shift));
+    s->dest[2] = s->current_picture.f.data[2] + (s->mb_x - 1) * (1 << (mb_size - s->chroma_x_shift));
 
     if(!(s->pict_type==AV_PICTURE_TYPE_B && s->avctx->draw_horiz_band && s->picture_structure==PICT_FRAME))
     {