ref: 30d5f4862889a8b336cd4b391f58482b5b40b196
parent: 046188e48787b74717d921c58c46371ff2d00ea1
author: Henrik Gramner <gramner@twoorioles.com>
date: Fri May 10 19:15:32 EDT 2019
Add a hard upper frame size limit on 32-bit systems Prevents overflows in malloc size calculations.
--- a/src/lib.c
+++ b/src/lib.c
@@ -103,6 +103,18 @@
c->operating_point = s->operating_point;
c->all_layers = s->all_layers;
c->frame_size_limit = s->frame_size_limit;
+
+ /* On 32-bit systems extremely large frame sizes can cause overflows in
+ * dav1d_decode_frame() malloc size calculations. Prevent that from occuring
+ * by enforcing a maximum frame size limit, chosen to roughly correspond to
+ * the largest size possible to decode without exhausting virtual memory. */
+ if (sizeof(size_t) < 8 && s->frame_size_limit - 1 >= 8192 * 8192) {+ c->frame_size_limit = 8192 * 8192;
+ if (s->frame_size_limit)
+ dav1d_log(c, "Frame size limit reduced from %u to %u.\n",
+ s->frame_size_limit, c->frame_size_limit);
+ }
+
c->frame_thread.flush = &c->frame_thread.flush_mem;
atomic_init(c->frame_thread.flush, 0);
c->n_fc = s->n_frame_threads;
--- a/tools/dav1d_cli_parse.c
+++ b/tools/dav1d_cli_parse.c
@@ -312,8 +312,7 @@
lib_settings->all_layers =
!!parse_unsigned(optarg, ARG_ALL_LAYERS, argv[0]);
break;
- case ARG_SIZE_LIMIT:
- {+ case ARG_SIZE_LIMIT: {char *arg = optarg, *end;
uint64_t res = strtoul(arg, &end, 0);
if (*end == 'x') // NxM