ref: c3544c3fac3abf51c3cd8a8be9faf35619c8e6c5
parent: 604bbca896a6656d29493656f6a7c6e188321ff0
author: Janne Grunau <janne-vlc@jannau.net>
date: Wed Oct 10 14:55:29 EDT 2018
reallocate lf.tx_lpf_right_edge accoring to the number of tile columns Fixess heap overflow with clusterfuzz-testcase-minimized-dav1d_fuzzer-5720347626700800 Credit to OSS-Fuzz
--- a/src/decode.c
+++ b/src/decode.c
@@ -2413,7 +2413,7 @@
f->ipred_edge[2] = &ptr[f->ipred_edge_sz * 2];
}
- if (f->sb128h > f->lf.re_sz) {+ if (f->sb128h * f->frame_hdr.tiling.cols > f->lf.re_sz) {freep(&f->lf.tx_lpf_right_edge[0]);
f->lf.tx_lpf_right_edge[0] = malloc((f->sb128h * 32 * 2) *
f->frame_hdr.tiling.cols);
@@ -2420,7 +2420,7 @@
if (!f->lf.tx_lpf_right_edge[0]) return -ENOMEM;
f->lf.tx_lpf_right_edge[1] = f->lf.tx_lpf_right_edge[0] +
f->sb128h * 32 * f->frame_hdr.tiling.cols;
- f->lf.re_sz = f->sb128h;
+ f->lf.re_sz = f->sb128h * f->frame_hdr.tiling.cols;
}
// init ref mvs