diff options
| author | James Almer <jamrial@gmail.com> | 2025-08-10 13:44:31 -0300 |
|---|---|---|
| committer | James Almer <jamrial@gmail.com> | 2025-08-12 19:59:21 +0000 |
| commit | 4b39d776c39f3a049932c8be0d46f48a4a3a0a7c (patch) | |
| tree | dc4eb5ae84c6f89a51ceaca1e5edea31becf34e7 /libavcodec/cbs_apv.c | |
| parent | 0469d68acb52081ca8385b844b9650398242be0f (diff) | |
| download | ffmpeg-4b39d776c39f3a049932c8be0d46f48a4a3a0a7c.tar.gz | |
avcodec/cbs_apv: store derived tile information in a per frame basis
If a single fragment contains more than one frame unit, the tile information stored
in the private context will only correspond to one of them.
Fixes: crash (out of array access)
Fixes: 435489659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-6194885205229568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
Diffstat (limited to 'libavcodec/cbs_apv.c')
| -rw-r--r-- | libavcodec/cbs_apv.c | 27 |
1 files changed, 6 insertions, 21 deletions
diff --git a/libavcodec/cbs_apv.c b/libavcodec/cbs_apv.c index 5239cd1269..fdc9042939 100644 --- a/libavcodec/cbs_apv.c +++ b/libavcodec/cbs_apv.c @@ -37,33 +37,18 @@ static int cbs_apv_get_num_comp(const APVRawFrameHeader *fh) } } -static void cbs_apv_derive_tile_info(APVDerivedTileInfo *ti, +static void cbs_apv_derive_tile_info(CodedBitstreamContext *ctx, const APVRawFrameHeader *fh) { + CodedBitstreamAPVContext *priv = ctx->priv_data; int frame_width_in_mbs = (fh->frame_info.frame_width + 15) / 16; int frame_height_in_mbs = (fh->frame_info.frame_height + 15) / 16; - int start_mb, i; + int tile_cols = (frame_width_in_mbs + fh->tile_info.tile_width_in_mbs - 1) / fh->tile_info.tile_width_in_mbs; + int tile_rows = (frame_height_in_mbs + fh->tile_info.tile_height_in_mbs - 1) / fh->tile_info.tile_height_in_mbs; - start_mb = 0; - for (i = 0; start_mb < frame_width_in_mbs; i++) { - ti->col_starts[i] = start_mb * APV_MB_WIDTH; - start_mb += fh->tile_info.tile_width_in_mbs; - } - av_assert0(i <= APV_MAX_TILE_COLS); - ti->col_starts[i] = frame_width_in_mbs * APV_MB_WIDTH; - ti->tile_cols = i; - - start_mb = 0; - for (i = 0; start_mb < frame_height_in_mbs; i++) { - av_assert0(i < APV_MAX_TILE_ROWS); - ti->row_starts[i] = start_mb * APV_MB_HEIGHT; - start_mb += fh->tile_info.tile_height_in_mbs; - } - av_assert0(i <= APV_MAX_TILE_ROWS); - ti->row_starts[i] = frame_height_in_mbs * APV_MB_HEIGHT; - ti->tile_rows = i; + av_assert0(tile_cols <= APV_MAX_TILE_COLS && tile_rows <= APV_MAX_TILE_ROWS); - ti->num_tiles = ti->tile_cols * ti->tile_rows; + priv->num_tiles = tile_cols * tile_rows; } |