shithub: dav1d

Info  •  Files  •  Log  •  Branches

mc: use width/height of reference frame in warp_affine

Fixes a heap buffer overflow in emu_edge_c with
clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5089954858795008 if the
reference frame is smaller than the current frame. Credits to oss-fuzz.

--- a/src/recon_tmpl.c

+++ b/src/recon_tmpl.c

@@ -678,8 +678,8 @@

     const int h_mul = 4 >> ss_hor, v_mul = 4 >> ss_ver;

     assert(!((b_dim[0] * h_mul) & 7) && !((b_dim[1] * v_mul) & 7));

     const int32_t *const mat = wmp->matrix;

-    const int width = (f->cur.p.p.w + ss_hor) >> ss_hor;

-    const int height = (f->cur.p.p.h + ss_ver) >> ss_ver;

+    const int width = (refp->p.p.w + ss_hor) >> ss_hor;

+    const int height = (refp->p.p.h + ss_ver) >> ss_ver;

     for (int y = 0; y < b_dim[1] * v_mul; y += 8) {

         for (int x = 0; x < b_dim[0] * h_mul; x += 8) {