ref: cf9ec49ac7d0c766ea88ea801c0831bca3e663a9
parent: faa090082febba0719d650238ce0cc51565551ed
author: Janne Grunau <janne-vlc@jannau.net>
date: Wed Nov 14 08:58:57 EST 2018
mc: use width/height of reference frame in warp_affine Fixes a heap buffer overflow in emu_edge_c with clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5089954858795008 if the reference frame is smaller than the current frame. Credits to oss-fuzz.
--- a/src/recon_tmpl.c
+++ b/src/recon_tmpl.c
@@ -678,8 +678,8 @@
const int h_mul = 4 >> ss_hor, v_mul = 4 >> ss_ver;
assert(!((b_dim[0] * h_mul) & 7) && !((b_dim[1] * v_mul) & 7));
const int32_t *const mat = wmp->matrix;
- const int width = (f->cur.p.p.w + ss_hor) >> ss_hor;
- const int height = (f->cur.p.p.h + ss_ver) >> ss_ver;
+ const int width = (refp->p.p.w + ss_hor) >> ss_hor;
+ const int height = (refp->p.p.h + ss_ver) >> ss_ver;
for (int y = 0; y < b_dim[1] * v_mul; y += 8) {
for (int x = 0; x < b_dim[0] * h_mul; x += 8) {