avcodec/agm: validate actual src_y against prev plane in decode_inter_plane
authorDavid Korczynski <david@adalogics.com>
Tue, 26 May 2026 12:00:00 +0000 (12:00 +0000)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 14 Jun 2026 02:59:13 +0000 (04:59 +0200)
Found-by: Anthropic agents; validated and reported by Ada Logics.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 45278542816cab5e8dcb120f9bd62e43ab2857bd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/agm.c

index fdf896d61a05c887035cbe0200571e22fcf022c7..92d65db0a92f09226d947ee9d3b11ac926da8e6e 100644 (file)
@@ -408,12 +408,14 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size,
                 int map = s->map[x];
 
                 if (orig_mv_x >= -32) {
-                    if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h ||
-                        x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w)
+                    int src_y = (s->blocks_h - 1 - y) * 8 - mv_y;
+                    int src_x = x * 8 + mv_x;
+                    if (src_y < 0 || src_y + 8 > h ||
+                        src_x < 0 || src_x + 8 > w)
                         return AVERROR_INVALIDDATA;
 
                     copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8,
-                                prev->data[plane] + ((s->blocks_h - 1 - y) * 8 - mv_y) * prev->linesize[plane] + (x * 8 + mv_x),
+                                prev->data[plane] + src_y * prev->linesize[plane] + src_x,
                                 frame->linesize[plane], prev->linesize[plane], 8);
                     if (map) {
                         s->idsp.idct(s->wblocks + x * 64);
@@ -445,12 +447,14 @@ static int decode_inter_plane(AGMContext *s, GetBitContext *gb, int size,
                     return ret;
 
                 if (orig_mv_x >= -32) {
-                    if (y * 8 + mv_y < 0 || y * 8 + mv_y + 8 > h ||
-                        x * 8 + mv_x < 0 || x * 8 + mv_x + 8 > w)
+                    int src_y = (s->blocks_h - 1 - y) * 8 - mv_y;
+                    int src_x = x * 8 + mv_x;
+                    if (src_y < 0 || src_y + 8 > h ||
+                        src_x < 0 || src_x + 8 > w)
                         return AVERROR_INVALIDDATA;
 
                     copy_block8(frame->data[plane] + (s->blocks_h - 1 - y) * 8 * frame->linesize[plane] + x * 8,
-                                prev->data[plane] + ((s->blocks_h - 1 - y) * 8 - mv_y) * prev->linesize[plane] + (x * 8 + mv_x),
+                                prev->data[plane] + src_y * prev->linesize[plane] + src_x,
                                 frame->linesize[plane], prev->linesize[plane], 8);
                     if (map) {
                         s->idsp.idct(s->block);