diff options
| author | Janne Grunau <janne-vlc@jannau.net> | 2019-09-02 01:46:10 +0300 |
|---|---|---|
| committer | Janne Grunau <janne-vlc@jannau.net> | 2019-09-03 09:24:45 +0300 |
| commit | 863c3731dc635be394229c0169833c668c5dda13 (patch) | |
| tree | 3c2127bb7ed836e5bf0a6cfc01b0ffa63e817130 | |
| parent | bfc9f72ad5766c0b8b9f13c2f0b4cffa742ec606 (diff) | |
TileContext: reorder scratch buffer to avoid conflicts
The chroma part of pal_idx potentially conflicts during intra
reconstruction with edge_{8,16}bpc. Fixes out of range pixel values
caused by invalid palette indices in
clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5076736684851200.
Fixes #294. Reported as integer overflows in boxsum5sqr with undefined
behavior sanitizer. Credits to oss-fuzz.
| -rw-r--r-- | src/internal.h | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/src/internal.h b/src/internal.h index 8ce5b16..785c9b8 100644 --- a/src/internal.h +++ b/src/internal.h @@ -302,14 +302,6 @@ struct Dav1dTileContext { }; }; struct { - uint8_t interintra_8bpc[64 * 64]; - uint8_t edge_8bpc[257]; - }; - struct { - uint16_t interintra_16bpc[64 * 64]; - uint16_t edge_16bpc[257]; - }; - struct { union { uint8_t levels[32 * 34]; struct { @@ -317,10 +309,20 @@ struct Dav1dTileContext { uint8_t pal_ctx[64]; }; }; + int16_t ac[32 * 32]; uint8_t pal_idx[2 * 64 * 64]; uint16_t pal[3 /* plane */][8 /* palette_idx */]; + ALIGN(union, 32) { + struct { + uint8_t interintra_8bpc[64 * 64]; + uint8_t edge_8bpc[257]; + }; + struct { + uint16_t interintra_16bpc[64 * 64]; + uint16_t edge_16bpc[257]; + }; + }; }; - int16_t ac[32 * 32]; } scratch; Dav1dWarpedMotionParams warpmv; |