Message ID | 20190802234957.11098-3-michael@niedermayer.cc |
---|---|
State | Superseded |
Headers | show |
On Sat, Aug 03, 2019 at 01:49:54AM +0200, Michael Niedermayer wrote: > Fixes: Timeout (72sec -> 1sec) > Fixes: 15512/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5663942342344704 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/pictordec.c | 16 +++++++++++++++- > 1 file changed, 15 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c > index 2e6fcdca52..5beb03cd5d 100644 > --- a/libavcodec/pictordec.c > +++ b/libavcodec/pictordec.c > @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > int xl = *x; > int yl = *y; > int planel = *plane; > + int pixels_per_value = 8/bits_per_plane; > value <<= shift; > > d = frame->data[0] + yl * frame->linesize[0]; > @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { > d[xl] |= (value >> j) & mask; > xl += 1; > - if (xl == s->width) { > + while (xl == s->width) { > yl -= 1; > xl = 0; > if (yl < 0) { > @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, > mask <<= bits_per_plane; > } > d = frame->data[0] + yl * frame->linesize[0]; > + if (s->nb_planes == 1 && > + run*pixels_per_value >= s->width && > + pixels_per_value < s->width) { > + int j; > + for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { suggest naming it 'k' to avoid confusion with earlier for loop. > + d[xl] |= (value >> j) & mask; > + xl += 1; > + } > + av_assert0(xl == pixels_per_value); ok. > + av_memcpy_backptr(d+xl, pixels_per_value, s->width - xl); > + run -= (s->width + pixels_per_value - 1) / pixels_per_value; > + xl = s->width; > + } > } > } > run--; > -- > 2.22.0 otherwise patch is good. -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 2e6fcdca52..5beb03cd5d 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, int xl = *x; int yl = *y; int planel = *plane; + int pixels_per_value = 8/bits_per_plane; value <<= shift; d = frame->data[0] + yl * frame->linesize[0]; @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { d[xl] |= (value >> j) & mask; xl += 1; - if (xl == s->width) { + while (xl == s->width) { yl -= 1; xl = 0; if (yl < 0) { @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, mask <<= bits_per_plane; } d = frame->data[0] + yl * frame->linesize[0]; + if (s->nb_planes == 1 && + run*pixels_per_value >= s->width && + pixels_per_value < s->width) { + int j; + for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { + d[xl] |= (value >> j) & mask; + xl += 1; + } + av_assert0(xl == pixels_per_value); + av_memcpy_backptr(d+xl, pixels_per_value, s->width - xl); + run -= (s->width + pixels_per_value - 1) / pixels_per_value; + xl = s->width; + } } } run--;
Fixes: Timeout (72sec -> 1sec) Fixes: 15512/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5663942342344704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/pictordec.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-)