shithub: dav1d

Download patch

ref: a2bda8844ff8c9758f4c8af6bd16c547393d7b34
parent: cd57a9a0ba13aedfa6e9f67331e75936d66a621a
author: Janne Grunau <janne-vlc@jannau.net>
date: Tue Dec 18 18:38:44 EST 2018 

intrabc: adjust right border to multiple of the block size

This fixes an overlapping memcpy with
clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5734069753610240. This is
a regression introduced by "intrabc: use visible width/height in mv
correction".

This reverts commit 7677c12018ac859374bdd864e42cc394fab878b2.


--- a/src/decode.c
+++ b/src/decode.c
@@ -1264,16 +1264,17 @@
         }
         int src_left   = t->bx * 4 + (b->mv[0].x >> 3);
         int src_top    = t->by * 4 + (b->mv[0].y >> 3);
-        int src_right  = src_left + w4 * 4;
-        int src_bottom = src_top  + h4 * 4;
+        int src_right  = src_left + bw4 * 4;
+        int src_bottom = src_top  + bh4 * 4;
+        const int border_right = ((ts->tiling.col_end + (bw4 - 1)) & ~(bw4 - 1)) * 4;
 
         // check against left or right tile boundary and adjust if necessary
         if (src_left < border_left) {
             src_right += border_left - src_left;
             src_left  += border_left - src_left;
-        } else if (src_right > ts->tiling.col_end * 4) {
-            src_left  -= src_right - ts->tiling.col_end * 4;
-            src_right -= src_right - ts->tiling.col_end * 4;
+        } else if (src_right > border_right) {
+            src_left  -= src_right - border_right;
+            src_right -= src_right - border_right;
         }
         // check against top tile boundary and adjust if necessary
         if (src_top < border_top) {