ref: c1b0808c4035bd0d62d7bfd66d0befe220ec1e52
parent: 81b10e8c9bda866ec5f3520e788932b75d019af5
author: Janne Grunau <[email protected]>
date: Sat Nov 24 07:44:38 EST 2018
backup_lpf: do not store 4 pixels rows at the bottom edge of the picture Fixes #192, an use-of-uninitialized-value in resize_c with clusterfuzz-testcase-minimized-dav1d_fuzzer-5657755306688512. Credits to oss-fuzz.
--- a/src/lr_apply_tmpl.c
+++ b/src/lr_apply_tmpl.c
@@ -110,7 +110,7 @@
if (restore_planes & LR_RESTORE_Y) {
const int h = f->bh << 2;
const int w = f->bw << 2;
- const int row_h = imin((sby + 1) << (6 + f->seq_hdr.sb128), h);
+ const int row_h = imin((sby + 1) << (6 + f->seq_hdr.sb128), h - 4);
const int y_stripe = (sby << (6 + f->seq_hdr.sb128)) - offset;
backup_lpf(f, f->lf.lr_lpf_line_ptr[0], lr_stride,
src[0] - offset * PXSTRIDE(src_stride[0]), src_stride[0],
@@ -121,7 +121,7 @@
const int ss_hor = f->sr_cur.p.p.layout != DAV1D_PIXEL_LAYOUT_I444;
const int h = f->bh << (2 - ss_ver);
const int w = f->bw << (2 - ss_hor);
- const int row_h = imin((sby + 1) << ((6 - ss_ver) + f->seq_hdr.sb128), h);
+ const int row_h = imin((sby + 1) << ((6 - ss_ver) + f->seq_hdr.sb128), h - 4);
const ptrdiff_t offset_uv = offset >> ss_ver;
const int y_stripe =
(sby << ((6 - ss_ver) + f->seq_hdr.sb128)) - offset_uv;