shithub: dav1d

Download patch

ref: c1b0808c4035bd0d62d7bfd66d0befe220ec1e52
parent: 81b10e8c9bda866ec5f3520e788932b75d019af5
author: Janne Grunau <[email protected]>
date: Sat Nov 24 07:44:38 EST 2018

backup_lpf: do not store 4 pixels rows at the bottom edge of the picture

Fixes #192, an use-of-uninitialized-value in resize_c with
clusterfuzz-testcase-minimized-dav1d_fuzzer-5657755306688512. Credits to
oss-fuzz.

--- a/src/lr_apply_tmpl.c
+++ b/src/lr_apply_tmpl.c
@@ -110,7 +110,7 @@
     if (restore_planes & LR_RESTORE_Y) {
         const int h = f->bh << 2;
         const int w = f->bw << 2;
-        const int row_h = imin((sby + 1) << (6 + f->seq_hdr.sb128), h);
+        const int row_h = imin((sby + 1) << (6 + f->seq_hdr.sb128), h - 4);
         const int y_stripe = (sby << (6 + f->seq_hdr.sb128)) - offset;
         backup_lpf(f, f->lf.lr_lpf_line_ptr[0], lr_stride,
                    src[0] - offset * PXSTRIDE(src_stride[0]), src_stride[0],
@@ -121,7 +121,7 @@
         const int ss_hor = f->sr_cur.p.p.layout != DAV1D_PIXEL_LAYOUT_I444;
         const int h = f->bh << (2 - ss_ver);
         const int w = f->bw << (2 - ss_hor);
-        const int row_h = imin((sby + 1) << ((6 - ss_ver) + f->seq_hdr.sb128), h);
+        const int row_h = imin((sby + 1) << ((6 - ss_ver) + f->seq_hdr.sb128), h - 4);
         const ptrdiff_t offset_uv = offset >> ss_ver;
         const int y_stripe =
             (sby << ((6 - ss_ver) + f->seq_hdr.sb128)) - offset_uv;