Commit cf9ec49a authored by Janne Grunau's avatar Janne Grunau

mc: use width/height of reference frame in warp_affine

Fixes a heap buffer overflow in emu_edge_c with
clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5089954858795008 if the
reference frame is smaller than the current frame. Credits to oss-fuzz.
parent faa09008
......@@ -678,8 +678,8 @@ static int warp_affine(Dav1dTileContext *const t,
const int h_mul = 4 >> ss_hor, v_mul = 4 >> ss_ver;
assert(!((b_dim[0] * h_mul) & 7) && !((b_dim[1] * v_mul) & 7));
const int32_t *const mat = wmp->matrix;
const int width = (f->cur.p.p.w + ss_hor) >> ss_hor;
const int height = (f->cur.p.p.h + ss_ver) >> ss_ver;
const int width = (refp->p.p.w + ss_hor) >> ss_hor;
const int height = (refp->p.p.h + ss_ver) >> ss_ver;
for (int y = 0; y < b_dim[1] * v_mul; y += 8) {
for (int x = 0; x < b_dim[0] * h_mul; x += 8) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment