ref: 0bdd992ee117e0074854916710f198fce7f772f0
parent: 305537cae94ff6b998c908412eaf8a16288866d4
author: Janne Grunau <janne-vlc@jannau.net>
date: Wed Oct 24 18:17:07 EDT 2018
loop restoration: maximal stripe height is 128 + 8 Due to the stripe offset of 8 rows the last stripe can have a height of 128 + 8 rows if the resolution is a multiple of 128. Fixes a stack-buffer-overflow in clusterfuzz-testcase-minimized-dav1d_fuzzer-5731418676658176. Credits to oss-fuzz.
--- a/src/lr_apply.c
+++ b/src/lr_apply.c
@@ -222,7 +222,7 @@
const int filter_h =
imin(((1 << (6 + f->seq_hdr.sb128)) - 8 * !y) >> ss_ver, h - y);
- pixel pre_lr_border[2][128 /* maximum sbrow height is 128 */][4];
+ pixel pre_lr_border[2][128 + 8 /* maximum sbrow height is 128 + 8 rows offset */][4];
int unit_w = unit_size, bit = 0;