From 4b7fa553a90361da730dfffc92c4bb75a181897d Mon Sep 17 00:00:00 2001
From: Hendrik Leppkes <h.leppkes@gmail.com>
Date: Sun, 29 Apr 2012 16:33:41 +0000
Subject: indeo3: fix motion vector validation

The index of the motion vector has to be checked before being
multiplied by 2 for the array index.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
---
 libavcodec/indeo3.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libavcodec/indeo3.c')

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index ed3535adc7..80839406c0 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -773,12 +773,12 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
                 /* get motion vector index and setup the pointer to the mv set */
                 if (!ctx->need_resync)
                     ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3];
-                mv_idx = *(ctx->next_cell_data++) << 1;
+                mv_idx = *(ctx->next_cell_data++);
                 if (mv_idx >= ctx->num_vectors) {
                     av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n");
                     return AVERROR_INVALIDDATA;
                 }
-                curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx];
+                curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx << 1];
                 curr_cell.tree   = 1; /* enter the VQ tree */
                 UPDATE_BITPOS(8);
             } else { /* VQ tree DATA code */
-- 
cgit v1.2.3