shithub: dav1d

Download patch

ref: b9a43c60954a5ca338febf252a1abbed2cd9e4d0
parent: 5e8eccf283bafe4663c44379473b4c7660154e2c
author: Luc Trudeau <ltrudeau@twoorioles.com>
date: Thu Nov 21 11:48:00 EST 2019

Avoid adding offsets to NULL pointers

Applying non-zero offset to a NULL pointer is undefined behavior

--- a/src/decode.c
+++ b/src/decode.c
@@ -524,6 +524,7 @@
 {
     int have_top = i > first;
 
+    assert(pal_idx);
     pal_idx += first + (i - first) * stride;
     for (int j = first, n = 0; j >= last; have_top = 1, j--, n++, pal_idx += stride - 1) {
         const int have_left = j > 0;
@@ -586,6 +587,7 @@
 {
     Dav1dTileState *const ts = t->ts;
     const ptrdiff_t stride = bw4 * 4;
+    assert(pal_idx);
     pal_idx[0] = dav1d_msac_decode_uniform(&ts->msac, b->pal_sz[pl]);
     uint16_t (*const color_map_cdf)[8] =
         ts->cdf.m.color_map[pl][b->pal_sz[pl] - 2];
@@ -1125,6 +1127,7 @@
         if (b->pal_sz[0]) {
             uint8_t *pal_idx;
             if (f->frame_thread.pass) {
+                assert(ts->frame_thread.pal_idx);
                 pal_idx = ts->frame_thread.pal_idx;
                 ts->frame_thread.pal_idx += bw4 * bh4 * 16;
             } else
@@ -1137,6 +1140,7 @@
         if (has_chroma && b->pal_sz[1]) {
             uint8_t *pal_idx;
             if (f->frame_thread.pass) {
+                assert(ts->frame_thread.pal_idx);
                 pal_idx = ts->frame_thread.pal_idx;
                 ts->frame_thread.pal_idx += cbw4 * cbh4 * 16;
             } else
@@ -2322,10 +2326,15 @@
     const int sb_shift = f->sb_shift;
 
     const uint8_t *const size_mul = ss_size_mul[f->cur.p.layout];
-    ts->frame_thread.pal_idx =
-        &f->frame_thread.pal_idx[(size_t)tile_start_off * size_mul[1] / 4];
-    ts->frame_thread.cf = (uint8_t*)f->frame_thread.cf +
-        (((size_t)tile_start_off * size_mul[0]) >> !f->seq_hdr->hbd);
+    ts->frame_thread.pal_idx = f->frame_thread.pal_idx ?
+        &f->frame_thread.pal_idx[(size_t)tile_start_off * size_mul[1] / 4] :
+        NULL;
+
+    ts->frame_thread.cf = f->frame_thread.cf ?
+        (uint8_t*)f->frame_thread.cf +
+            (((size_t)tile_start_off * size_mul[0]) >> !f->seq_hdr->hbd) :
+        NULL;
+
     dav1d_cdf_thread_copy(&ts->cdf, &f->in_cdf);
     ts->last_qidx = f->frame_hdr->quant.yac;
     memset(ts->last_delta_lf, 0, sizeof(ts->last_delta_lf));
@@ -3110,12 +3119,18 @@
                  tile_idx++)
             {
                 Dav1dTileState *const ts = &f->ts[tile_idx];
-                const int tile_start_off = f->frame_thread.tile_start_off[tile_idx];
-                ts->frame_thread.pal_idx = &f->frame_thread.pal_idx[tile_start_off * size_mul[1] / 4];
-                ts->frame_thread.cf = (uint8_t*)f->frame_thread.cf +
-                    ((tile_start_off * size_mul[0]) >> !f->seq_hdr->hbd);
+                const size_t tile_start_off =
+                    (size_t) f->frame_thread.tile_start_off[tile_idx];
+                ts->frame_thread.pal_idx = f->frame_thread.pal_idx ?
+                    &f->frame_thread.pal_idx[tile_start_off * size_mul[1] / 4] :
+                    NULL;
+                ts->frame_thread.cf = f->frame_thread.cf ?
+                    (uint8_t*)f->frame_thread.cf +
+                        ((tile_start_off * size_mul[0]) >> !f->seq_hdr->hbd) :
+                    NULL;
                 if (f->n_tc > 0) {
-                    unsigned row_sb_start = f->frame_hdr->tiling.row_start_sb[ts->tiling.row];
+                    const unsigned row_sb_start =
+                        f->frame_hdr->tiling.row_start_sb[ts->tiling.row];
                     atomic_init(&ts->progress, row_sb_start);
                 }
             }
--- a/src/recon_tmpl.c
+++ b/src/recon_tmpl.c
@@ -680,6 +680,7 @@
         struct CodedBlockInfo *cbi;
 
         if (f->frame_thread.pass) {
+            assert(ts->frame_thread.cf);
             cf = ts->frame_thread.cf;
             ts->frame_thread.cf += imin(t_dim->w, 8) * imin(t_dim->h, 8) * 16;
             cbi = &f->frame_thread.cbi[t->by * f->b4_stride + t->bx];
@@ -1149,6 +1150,7 @@
                              4 * (t->by * PXSTRIDE(f->cur.stride[0]) + t->bx);
                 const uint8_t *pal_idx;
                 if (f->frame_thread.pass) {
+                    assert(ts->frame_thread.pal_idx);
                     pal_idx = ts->frame_thread.pal_idx;
                     ts->frame_thread.pal_idx += bw4 * bh4 * 16;
                 } else {
@@ -1345,6 +1347,7 @@
                 const uint16_t (*pal)[8];
                 const uint8_t *pal_idx;
                 if (f->frame_thread.pass) {
+                    assert(ts->frame_thread.pal_idx);
                     pal = f->frame_thread.pal[((t->by >> 1) + (t->bx & 1)) * (f->b4_stride >> 1) +
                                               ((t->bx >> 1) + (t->by & 1))];
                     pal_idx = ts->frame_thread.pal_idx;