Commit c1b0808c authored by Janne Grunau's avatar Janne Grunau

backup_lpf: do not store 4 pixels rows at the bottom edge of the picture

Fixes #192, an use-of-uninitialized-value in resize_c with
clusterfuzz-testcase-minimized-dav1d_fuzzer-5657755306688512. Credits to
oss-fuzz.
parent 81b10e8c
......@@ -110,7 +110,7 @@ void bytefn(dav1d_lr_copy_lpf)(Dav1dFrameContext *const f,
if (restore_planes & LR_RESTORE_Y) {
const int h = f->bh << 2;
const int w = f->bw << 2;
const int row_h = imin((sby + 1) << (6 + f->seq_hdr.sb128), h);
const int row_h = imin((sby + 1) << (6 + f->seq_hdr.sb128), h - 4);
const int y_stripe = (sby << (6 + f->seq_hdr.sb128)) - offset;
backup_lpf(f, f->lf.lr_lpf_line_ptr[0], lr_stride,
src[0] - offset * PXSTRIDE(src_stride[0]), src_stride[0],
......@@ -121,7 +121,7 @@ void bytefn(dav1d_lr_copy_lpf)(Dav1dFrameContext *const f,
const int ss_hor = f->sr_cur.p.p.layout != DAV1D_PIXEL_LAYOUT_I444;
const int h = f->bh << (2 - ss_ver);
const int w = f->bw << (2 - ss_hor);
const int row_h = imin((sby + 1) << ((6 - ss_ver) + f->seq_hdr.sb128), h);
const int row_h = imin((sby + 1) << ((6 - ss_ver) + f->seq_hdr.sb128), h - 4);
const ptrdiff_t offset_uv = offset >> ss_ver;
const int y_stripe =
(sby << ((6 - ss_ver) + f->seq_hdr.sb128)) - offset_uv;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment