Commit c3544c3f authored by Janne Grunau's avatar Janne Grunau

reallocate lf.tx_lpf_right_edge accoring to the number of tile columns

Fixess heap overflow with
clusterfuzz-testcase-minimized-dav1d_fuzzer-5720347626700800
Credit to OSS-Fuzz
parent 604bbca8
...@@ -2413,14 +2413,14 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) { ...@@ -2413,14 +2413,14 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
f->ipred_edge[2] = &ptr[f->ipred_edge_sz * 2]; f->ipred_edge[2] = &ptr[f->ipred_edge_sz * 2];
} }
if (f->sb128h > f->lf.re_sz) { if (f->sb128h * f->frame_hdr.tiling.cols > f->lf.re_sz) {
freep(&f->lf.tx_lpf_right_edge[0]); freep(&f->lf.tx_lpf_right_edge[0]);
f->lf.tx_lpf_right_edge[0] = malloc((f->sb128h * 32 * 2) * f->lf.tx_lpf_right_edge[0] = malloc((f->sb128h * 32 * 2) *
f->frame_hdr.tiling.cols); f->frame_hdr.tiling.cols);
if (!f->lf.tx_lpf_right_edge[0]) return -ENOMEM; if (!f->lf.tx_lpf_right_edge[0]) return -ENOMEM;
f->lf.tx_lpf_right_edge[1] = f->lf.tx_lpf_right_edge[0] + f->lf.tx_lpf_right_edge[1] = f->lf.tx_lpf_right_edge[0] +
f->sb128h * 32 * f->frame_hdr.tiling.cols; f->sb128h * 32 * f->frame_hdr.tiling.cols;
f->lf.re_sz = f->sb128h; f->lf.re_sz = f->sb128h * f->frame_hdr.tiling.cols;
} }
// init ref mvs // init ref mvs
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment