Message ID | 20190803110949.GQ3219@michaelspb |
---|---|
State | Accepted |
Commit | 5231e89eb9eedc119d4f762469355f83e3628f20 |
Headers | show |
On Sat, Aug 03, 2019 at 01:09:49PM +0200, Michael Niedermayer wrote: > On Sat, Aug 03, 2019 at 12:43:32PM +1000, Peter Ross wrote: > > On Sat, Aug 03, 2019 at 01:49:54AM +0200, Michael Niedermayer wrote: > > > Fixes: Timeout (72sec -> 1sec) > > > Fixes: 15512/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5663942342344704 > > > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > --- > > > libavcodec/pictordec.c | 16 +++++++++++++++- > > > 1 file changed, 15 insertions(+), 1 deletion(-) > > > > > > diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c > > > index 2e6fcdca52..5beb03cd5d 100644 > > > --- a/libavcodec/pictordec.c > > > +++ b/libavcodec/pictordec.c > > > @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > > > int xl = *x; > > > int yl = *y; > > > int planel = *plane; > > > + int pixels_per_value = 8/bits_per_plane; > > > value <<= shift; > > > > > > d = frame->data[0] + yl * frame->linesize[0]; > > > @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > > > for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { > > > d[xl] |= (value >> j) & mask; > > > xl += 1; > > > - if (xl == s->width) { > > > + while (xl == s->width) { > > > yl -= 1; > > > xl = 0; > > > if (yl < 0) { > > > @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > > > mask <<= bits_per_plane; > > > } > > > d = frame->data[0] + yl * frame->linesize[0]; > > > + if (s->nb_planes == 1 && > > > + run*pixels_per_value >= s->width && > > > + pixels_per_value < s->width) { > > > + int j; > > > + for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { > > > > suggest naming it 'k' to avoid confusion with earlier for loop. > > actually, looking at this again, i think we should use the same j, > This also now excludes s->width % pixels_per_value != 0 for which i suspect there > is no testcase. Ill add support for this in case the fuzzer finds a case > that way we then also have a testcase for implementing that corner case. > > heres the new code: > > --- a/libavcodec/pictordec.c > +++ b/libavcodec/pictordec.c > @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > int xl = *x; > int yl = *y; > int planel = *plane; > + int pixels_per_value = 8/bits_per_plane; > value <<= shift; > > d = frame->data[0] + yl * frame->linesize[0]; > @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { > d[xl] |= (value >> j) & mask; > xl += 1; > - if (xl == s->width) { > + while (xl == s->width) { > yl -= 1; > xl = 0; > if (yl < 0) { > @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > mask <<= bits_per_plane; > } > d = frame->data[0] + yl * frame->linesize[0]; > + if (s->nb_planes == 1 && > + run*pixels_per_value >= s->width && > + pixels_per_value < s->width && > + s->width % pixels_per_value == 0 > + ) { > + for (; xl < pixels_per_value; xl ++) { > + j = (j < bits_per_plane ? 8 : j) - bits_per_plane; > + d[xl] |= (value >> j) & mask; > + } > + av_memcpy_backptr(d+xl, pixels_per_value, s->width - xl); > + run -= s->width / pixels_per_value; > + xl = s->width; > + } > } > } > run--; will apply [...]
--- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, int xl = *x; int yl = *y; int planel = *plane; + int pixels_per_value = 8/bits_per_plane; value <<= shift; d = frame->data[0] + yl * frame->linesize[0]; @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { d[xl] |= (value >> j) & mask; xl += 1; - if (xl == s->width) { + while (xl == s->width) { yl -= 1; xl = 0; if (yl < 0) { @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, mask <<= bits_per_plane; } d = frame->data[0] + yl * frame->linesize[0]; + if (s->nb_planes == 1 && + run*pixels_per_value >= s->width && + pixels_per_value < s->width && + s->width % pixels_per_value == 0 + ) { + for (; xl < pixels_per_value; xl ++) { + j = (j < bits_per_plane ? 8 : j) - bits_per_plane; + d[xl] |= (value >> j) & mask; + } + av_memcpy_backptr(d+xl, pixels_per_value, s->width - xl); + run -= s->width / pixels_per_value; + xl = s->width; + } } } run--;