shithub: dav1d

Download patch

ref: 30d5f4862889a8b336cd4b391f58482b5b40b196
parent: 046188e48787b74717d921c58c46371ff2d00ea1
author: Henrik Gramner <[email protected]>
date: Fri May 10 19:15:32 EDT 2019

Add a hard upper frame size limit on 32-bit systems

Prevents overflows in malloc size calculations.

--- a/src/lib.c
+++ b/src/lib.c
@@ -103,6 +103,18 @@
     c->operating_point = s->operating_point;
     c->all_layers = s->all_layers;
     c->frame_size_limit = s->frame_size_limit;
+
+    /* On 32-bit systems extremely large frame sizes can cause overflows in
+     * dav1d_decode_frame() malloc size calculations. Prevent that from occuring
+     * by enforcing a maximum frame size limit, chosen to roughly correspond to
+     * the largest size possible to decode without exhausting virtual memory. */
+    if (sizeof(size_t) < 8 && s->frame_size_limit - 1 >= 8192 * 8192) {
+        c->frame_size_limit = 8192 * 8192;
+        if (s->frame_size_limit)
+            dav1d_log(c, "Frame size limit reduced from %u to %u.\n",
+                      s->frame_size_limit, c->frame_size_limit);
+    }
+
     c->frame_thread.flush = &c->frame_thread.flush_mem;
     atomic_init(c->frame_thread.flush, 0);
     c->n_fc = s->n_frame_threads;
--- a/tools/dav1d_cli_parse.c
+++ b/tools/dav1d_cli_parse.c
@@ -312,8 +312,7 @@
             lib_settings->all_layers =
                 !!parse_unsigned(optarg, ARG_ALL_LAYERS, argv[0]);
             break;
-        case ARG_SIZE_LIMIT:
-        {
+        case ARG_SIZE_LIMIT: {
             char *arg = optarg, *end;
             uint64_t res = strtoul(arg, &end, 0);
             if (*end == 'x') // NxM