From a3a55b18494f5dd1e34f289298f78ffa4f32a25d Mon Sep 17 00:00:00 2001
From: Victorien Le Couviour--Tuffet <victorien@videolan.org>
Date: Tue, 30 Aug 2022 17:21:54 +0200
Subject: threading: Fix copy_lpf_progress initialization

The copy_lpf_progress bitfield might not be fully cleared when size goes
down.

Credit to Oss-Fuzz.
---
 src/thread_task.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/thread_task.c b/src/thread_task.c
index 53aa41e..655956c 100644
--- a/src/thread_task.c
+++ b/src/thread_task.c
@@ -192,13 +192,14 @@ static int create_filter_sbrow(Dav1dFrameContext *const f,
         const int prog_sz = ((f->sbh + 31) & ~31) >> 5;
         if (prog_sz > f->frame_thread.prog_sz) {
             atomic_uint *const prog = realloc(f->frame_thread.frame_progress,
-                                              prog_sz * 2 * sizeof(*prog));
+                                              2 * prog_sz * sizeof(*prog));
             if (!prog) return -1;
             f->frame_thread.frame_progress = prog;
             f->frame_thread.copy_lpf_progress = prog + prog_sz;
             f->frame_thread.prog_sz = prog_sz;
         }
-        memset(f->frame_thread.frame_progress, 0, prog_sz * 2 * sizeof(atomic_uint));
+        memset(f->frame_thread.frame_progress, 0, prog_sz * sizeof(atomic_uint));
+        memset(f->frame_thread.copy_lpf_progress, 0, prog_sz * sizeof(atomic_uint));
         atomic_store(&f->frame_thread.deblock_progress, 0);
     }
     f->frame_thread.next_tile_row[pass & 1] = 0;
-- 
cgit v1.2.3