ref: ba23ac8cba19a0d685decc5033dedcd1ff12fa2a
parent: eaaf2218689d5942a050f9f9081ec473becb77e0
author: Henrik Gramner <gramner@twoorioles.com>
date: Tue Jan 28 18:49:26 EST 2020
Fix crash in dav1d_apply_grain() with negative picture strides
--- a/src/fg_apply_tmpl.c
+++ b/src/fg_apply_tmpl.c
@@ -122,17 +122,32 @@
// TODO: eliminate in favor of per-plane refs
assert(out->stride[0] == in->stride[0]);
if (!data->num_y_points) {
- memcpy(out->data[0], in->data[0], out->p.h * out->stride[0]);
+ const ptrdiff_t stride = out->stride[0];
+ const ptrdiff_t sz = out->p.h * stride;
+ if (sz < 0)
+ memcpy((uint8_t*) out->data[0] + sz - stride,
+ (uint8_t*) in->data[0] + sz - stride, -sz);
+ else
+ memcpy(out->data[0], in->data[0], sz);
}
- if (in->p.layout != DAV1D_PIXEL_LAYOUT_I400) {
+ if (in->p.layout != DAV1D_PIXEL_LAYOUT_I400 && !data->chroma_scaling_from_luma) {
assert(out->stride[1] == in->stride[1]);
- for (int i = 0; i < 2; i++) {
- if (!data->num_uv_points[i] && !data->chroma_scaling_from_luma) {
- const int suby = in->p.layout == DAV1D_PIXEL_LAYOUT_I420;
- memcpy(out->data[1+i], in->data[1+i],
- (out->p.h >> suby) * out->stride[1]);
- }
+ const int ss_ver = in->p.layout == DAV1D_PIXEL_LAYOUT_I420;
+ const ptrdiff_t stride = out->stride[1];
+ const ptrdiff_t sz = (out->p.h * stride) >> ss_ver;
+ if (sz < 0) {
+ if (!data->num_uv_points[0])
+ memcpy((uint8_t*) out->data[1] + sz - stride,
+ (uint8_t*) in->data[1] + sz - stride, -sz);
+ if (!data->num_uv_points[1])
+ memcpy((uint8_t*) out->data[2] + sz - stride,
+ (uint8_t*) in->data[2] + sz - stride, -sz);
+ } else {
+ if (!data->num_uv_points[0])
+ memcpy(out->data[1], in->data[1], sz);
+ if (!data->num_uv_points[1])
+ memcpy(out->data[2], in->data[2], sz);
}
}