shithub: dav1d

Download patch

ref: 39b35e34c85c07dc21c4242d1372934a674cac22
parent: a9a09b7022ef85fce334f4a7b79e3dde818a68f9
author: Janne Grunau <[email protected]>
date: Wed Nov 7 16:26:33 EST 2018

fix backup of t->l.tx_lpf_uv at tile boundaries for 4:2:2 and 4:4:4

Fixes #132, use of uninitilized value in dav1d_loopfilter_sbrow_16bpc
with clusterfuzz-testcase-minimized-dav1d_fuzzer-5734861545930752.
Credits to oss-fuzz and Tyson Smith.

--- a/src/decode.c
+++ b/src/decode.c
@@ -2392,9 +2392,10 @@
     int align_h = (f->bh + 31) & ~31;
     memcpy(&f->lf.tx_lpf_right_edge[0][align_h * tile_col + t->by],
            &t->l.tx_lpf_y[t->by & 16], sb_step);
-    align_h >>= 1;
-    memcpy(&f->lf.tx_lpf_right_edge[1][align_h * tile_col + (t->by >> 1)],
-           &t->l.tx_lpf_uv[(t->by & 16) >> 1], sb_step >> 1);
+    align_h >>= ss_ver;
+
+    memcpy(&f->lf.tx_lpf_right_edge[1][align_h * tile_col + (t->by >> ss_ver)],
+           &t->l.tx_lpf_uv[(t->by & 16) >> ss_ver], sb_step >> ss_ver);
 
     return 0;
 }