ref: 66adb457af2bedc1280af147047c64683834d939
parent: 026069693ef5511368e105cc177f72c917e0f3a9
author: Janne Grunau <janne-vlc@jannau.net>
date: Wed Nov 14 06:49:51 EST 2018
mc: use PXSTRIDE consistently in {put,prep}_8tap_scaled_c
Fixes a heap buffer overflow with high bit depth scaled reference frames
in clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5652139771166720.
Credits to oss-fuzz.
--- a/src/mc_tmpl.c
+++ b/src/mc_tmpl.c
@@ -149,12 +149,13 @@
static NOINLINE void
put_8tap_scaled_c(pixel *dst, const ptrdiff_t dst_stride,
- const pixel *src, const ptrdiff_t src_stride,
+ const pixel *src, ptrdiff_t src_stride,
const int w, int h, const int mx, int my,
const int dx, const int dy, const int filter_type)
{int tmp_h = (((h - 1) * dy + my) >> 10) + 8;
coef mid[128 * (256 + 7)], *mid_ptr = mid;
+ src_stride = PXSTRIDE(src_stride);
src -= src_stride * 3;
do {@@ -170,7 +171,7 @@
}
mid_ptr += 128;
- src += PXSTRIDE(src_stride);
+ src += src_stride;
} while (--tmp_h);
mid_ptr = mid + 128 * 3;
@@ -241,12 +242,13 @@
}
static NOINLINE void
-prep_8tap_scaled_c(coef *tmp, const pixel *src, const ptrdiff_t src_stride,
+prep_8tap_scaled_c(coef *tmp, const pixel *src, ptrdiff_t src_stride,
const int w, int h, const int mx, int my,
const int dx, const int dy, const int filter_type)
{int tmp_h = (((h - 1) * dy + my) >> 10) + 8;
coef mid[128 * (256 + 7)], *mid_ptr = mid;
+ src_stride = PXSTRIDE(src_stride);
src -= src_stride * 3;
do {@@ -262,7 +264,7 @@
}
mid_ptr += 128;
- src += PXSTRIDE(src_stride);
+ src += src_stride;
} while (--tmp_h);
mid_ptr = mid + 128 * 3;