Commit 0bdd992e authored by Janne Grunau's avatar Janne Grunau Committed by Ronald S. Bultje

loop restoration: maximal stripe height is 128 + 8

Due to the stripe offset of 8 rows the last stripe can have a height of
128 + 8 rows if the resolution is a multiple of 128. Fixes a
stack-buffer-overflow in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5731418676658176. Credits to
oss-fuzz.
parent 305537ca
......@@ -222,7 +222,7 @@ static void lr_sbrow(const Dav1dFrameContext *const f, pixel *p, const int y,
const int filter_h =
imin(((1 << (6 + f->seq_hdr.sb128)) - 8 * !y) >> ss_ver, h - y);
pixel pre_lr_border[2][128 /* maximum sbrow height is 128 */][4];
pixel pre_lr_border[2][128 + 8 /* maximum sbrow height is 128 + 8 rows offset */][4];
int unit_w = unit_size, bit = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment