ref: 39b35e34c85c07dc21c4242d1372934a674cac22
parent: a9a09b7022ef85fce334f4a7b79e3dde818a68f9
author: Janne Grunau <janne-vlc@jannau.net>
date: Wed Nov 7 16:26:33 EST 2018
fix backup of t->l.tx_lpf_uv at tile boundaries for 4:2:2 and 4:4:4 Fixes #132, use of uninitilized value in dav1d_loopfilter_sbrow_16bpc with clusterfuzz-testcase-minimized-dav1d_fuzzer-5734861545930752. Credits to oss-fuzz and Tyson Smith.
--- a/src/decode.c
+++ b/src/decode.c
@@ -2392,9 +2392,10 @@
int align_h = (f->bh + 31) & ~31;
memcpy(&f->lf.tx_lpf_right_edge[0][align_h * tile_col + t->by],
&t->l.tx_lpf_y[t->by & 16], sb_step);
- align_h >>= 1;
- memcpy(&f->lf.tx_lpf_right_edge[1][align_h * tile_col + (t->by >> 1)],
- &t->l.tx_lpf_uv[(t->by & 16) >> 1], sb_step >> 1);
+ align_h >>= ss_ver;
+
+ memcpy(&f->lf.tx_lpf_right_edge[1][align_h * tile_col + (t->by >> ss_ver)],
+ &t->l.tx_lpf_uv[(t->by & 16) >> ss_ver], sb_step >> ss_ver);
return 0;
}