diff options
| author | Janne Grunau <janne-vlc@jannau.net> | 2018-11-04 19:50:54 +0300 |
|---|---|---|
| committer | Janne Grunau <janne-vlc@jannau.net> | 2018-11-04 21:51:33 +0300 |
| commit | 22d3b6d98079d2e100c3be0ed658d9b1de1ac0c8 (patch) | |
| tree | ddf5f60445b0e0e16ea3b1957078428e819076cb /src/lf_apply_tmpl.c | |
| parent | ef677d6aa184c8954dc4de78919262dd18348fa0 (diff) | |
loopfilter: limit filter width to the frame edge
Fixes ubsan index-out-of-bounds error in loop_filter_v_sb128y_c() with
clusterfuzz-testcase-minimized-dav1d_fuzzer-5691087507685376. Credits to
oss-fuzz.
Diffstat (limited to 'src/lf_apply_tmpl.c')
| -rw-r--r-- | src/lf_apply_tmpl.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lf_apply_tmpl.c b/src/lf_apply_tmpl.c index 8589a3d..02468ff 100644 --- a/src/lf_apply_tmpl.c +++ b/src/lf_apply_tmpl.c @@ -235,7 +235,8 @@ void bytefn(dav1d_loopfilter_sbrow)(const Dav1dFrameContext *const f, x < f->sb128w; x++, a++) { uint16_t (*const y_vmask)[2] = lflvl[x].filter_y[1][starty4]; - for (unsigned mask = 1, i = 0; i < 32; mask <<= 1, i++) { + const unsigned w = imin(32, (f->w4 >> sbl2) - x); + for (unsigned mask = 1, i = 0; i < w; mask <<= 1, i++) { const int sidx = mask >= 0x10000U; const unsigned smask = mask >> (sidx << 4); const int idx = 2 * !!(y_vmask[2][sidx] & smask) + @@ -247,8 +248,9 @@ void bytefn(dav1d_loopfilter_sbrow)(const Dav1dFrameContext *const f, } if (f->cur.p.p.layout != DAV1D_PIXEL_LAYOUT_I400) { + const unsigned cw = (w + ss_hor) >> ss_hor; uint16_t (*const uv_vmask)[2] = lflvl[x].filter_uv[1][starty4 >> ss_ver]; - for (unsigned uv_mask = 1, i = 0; i < (32U >> ss_hor); uv_mask <<= 1, i++) { + for (unsigned uv_mask = 1, i = 0; i < cw; uv_mask <<= 1, i++) { const int sidx = uv_mask >= hmax; const unsigned smask = uv_mask >> (sidx << (4 - ss_hor)); const int idx = !!(uv_vmask[1][sidx] & smask); |