ref: 863c3731dc635be394229c0169833c668c5dda13
parent: bfc9f72ad5766c0b8b9f13c2f0b4cffa742ec606
author: Janne Grunau <janne-vlc@jannau.net>
date: Sun Sep 1 20:46:10 EDT 2019
TileContext: reorder scratch buffer to avoid conflicts
The chroma part of pal_idx potentially conflicts during intra
reconstruction with edge_{8,16}bpc. Fixes out of range pixel values
caused by invalid palette indices in
clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5076736684851200.
Fixes #294. Reported as integer overflows in boxsum5sqr with undefined
behavior sanitizer. Credits to oss-fuzz.
--- a/src/internal.h
+++ b/src/internal.h
@@ -302,14 +302,6 @@
};
};
struct {- uint8_t interintra_8bpc[64 * 64];
- uint8_t edge_8bpc[257];
- };
- struct {- uint16_t interintra_16bpc[64 * 64];
- uint16_t edge_16bpc[257];
- };
- struct { union {uint8_t levels[32 * 34];
struct {@@ -317,10 +309,20 @@
uint8_t pal_ctx[64];
};
};
+ int16_t ac[32 * 32];
uint8_t pal_idx[2 * 64 * 64];
uint16_t pal[3 /* plane */][8 /* palette_idx */];
+ ALIGN(union, 32) {+ struct {+ uint8_t interintra_8bpc[64 * 64];
+ uint8_t edge_8bpc[257];
+ };
+ struct {+ uint16_t interintra_16bpc[64 * 64];
+ uint16_t edge_16bpc[257];
+ };
+ };
};
- int16_t ac[32 * 32];
} scratch;
Dav1dWarpedMotionParams warpmv;