41 lines
2 KiB
Text
41 lines
2 KiB
Text
|
Fix tile_start_off calculations for extremely large frame sizes
|
||
|
|
|
||
|
|
2b475307dc11be9a1c3cc4358102c76a7f386a51
|
||
|
|
|
||
|
|
CVE-2024-1580
|
||
|
|
|
||
|
|
Index: src/decode.c
|
||
|
|
--- src/decode.c.orig
|
||
|
|
+++ src/decode.c
|
||
|
|
@@ -2630,7 +2630,7 @@ static void setup_tile(Dav1dTileState *const ts,
|
||
|
|
const Dav1dFrameContext *const f,
|
||
|
|
const uint8_t *const data, const size_t sz,
|
||
|
|
const int tile_row, const int tile_col,
|
||
|
|
- const int tile_start_off)
|
||
|
|
+ const unsigned tile_start_off)
|
||
|
|
{
|
||
|
|
const int col_sb_start = f->frame_hdr->tiling.col_start_sb[tile_col];
|
||
|
|
const int col_sb128_start = col_sb_start >> !f->seq_hdr->sb128;
|
||
|
|
@@ -2981,15 +2981,16 @@ int dav1d_decode_frame_init(Dav1dFrameContext *const f
|
||
|
|
const uint8_t *const size_mul = ss_size_mul[f->cur.p.layout];
|
||
|
|
const int hbd = !!f->seq_hdr->hbd;
|
||
|
|
if (c->n_fc > 1) {
|
||
|
|
+ const unsigned sb_step4 = f->sb_step * 4;
|
||
|
|
int tile_idx = 0;
|
||
|
|
for (int tile_row = 0; tile_row < f->frame_hdr->tiling.rows; tile_row++) {
|
||
|
|
- int row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
|
||
|
|
- f->sb_step * 4 * f->sb128w * 128;
|
||
|
|
- int b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
|
||
|
|
- f->frame_hdr->tiling.row_start_sb[tile_row]) * f->sb_step * 4;
|
||
|
|
+ const unsigned row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
|
||
|
|
+ sb_step4 * f->sb128w * 128;
|
||
|
|
+ const unsigned b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
|
||
|
|
+ f->frame_hdr->tiling.row_start_sb[tile_row]) * sb_step4;
|
||
|
|
for (int tile_col = 0; tile_col < f->frame_hdr->tiling.cols; tile_col++) {
|
||
|
|
f->frame_thread.tile_start_off[tile_idx++] = row_off + b_diff *
|
||
|
|
- f->frame_hdr->tiling.col_start_sb[tile_col] * f->sb_step * 4;
|
||
|
|
+ f->frame_hdr->tiling.col_start_sb[tile_col] * sb_step4;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|