On Sat, Aug 03, 2019 at 01:09:49PM +0200, Michael Niedermayer wrote: > On Sat, Aug 03, 2019 at 12:43:32PM +1000, Peter Ross wrote: > > On Sat, Aug 03, 2019 at 01:49:54AM +0200, Michael Niedermayer wrote: > > > Fixes: Timeout (72sec -> 1sec) > > > Fixes: > > > 15512/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5663942342344704 > > > > > > Found-by: continuous fuzzing process > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > > --- > > > libavcodec/pictordec.c | 16 +++++++++++++++- > > > 1 file changed, 15 insertions(+), 1 deletion(-) > > > > > > diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c > > > index 2e6fcdca52..5beb03cd5d 100644 > > > --- a/libavcodec/pictordec.c > > > +++ b/libavcodec/pictordec.c > > > @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, > > > unsigned value, int run, > > > int xl = *x; > > > int yl = *y; > > > int planel = *plane; > > > + int pixels_per_value = 8/bits_per_plane; > > > value <<= shift; > > > > > > d = frame->data[0] + yl * frame->linesize[0]; > > > @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, > > > unsigned value, int run, > > > for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { > > > d[xl] |= (value >> j) & mask; > > > xl += 1; > > > - if (xl == s->width) { > > > + while (xl == s->width) { > > > yl -= 1; > > > xl = 0; > > > if (yl < 0) { > > > @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, > > > unsigned value, int run, > > > mask <<= bits_per_plane; > > > } > > > d = frame->data[0] + yl * frame->linesize[0]; > > > + if (s->nb_planes == 1 && > > > + run*pixels_per_value >= s->width && > > > + pixels_per_value < s->width) { > > > + int j; > > > + for (j = 8-bits_per_plane; j >= 0; j -= > > > bits_per_plane) { > > > > suggest naming it 'k' to avoid confusion with earlier for loop. > > actually, looking at this again, i think we should use the same j, > This also now excludes s->width % pixels_per_value != 0 for which i suspect > there > is no testcase. Ill add support for this in case the fuzzer finds a case > that way we then also have a testcase for implementing that corner case. > > heres the new code: > > --- a/libavcodec/pictordec.c > +++ b/libavcodec/pictordec.c > @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, > unsigned value, int run, > int xl = *x; > int yl = *y; > int planel = *plane; > + int pixels_per_value = 8/bits_per_plane; > value <<= shift; > > d = frame->data[0] + yl * frame->linesize[0]; > @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, > unsigned value, int run, > for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { > d[xl] |= (value >> j) & mask; > xl += 1; > - if (xl == s->width) { > + while (xl == s->width) { > yl -= 1; > xl = 0; > if (yl < 0) { > @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, > unsigned value, int run, > mask <<= bits_per_plane; > } > d = frame->data[0] + yl * frame->linesize[0]; > + if (s->nb_planes == 1 && > + run*pixels_per_value >= s->width && > + pixels_per_value < s->width && > + s->width % pixels_per_value == 0 > + ) { > + for (; xl < pixels_per_value; xl ++) { > + j = (j < bits_per_plane ? 8 : j) - bits_per_plane; > + d[xl] |= (value >> j) & mask; > + } > + av_memcpy_backptr(d+xl, pixels_per_value, s->width - xl); > + run -= s->width / pixels_per_value; > + xl = s->width; > + } > } > } > run--;
will apply [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Whats the most studid thing your enemy could do ? Blow himself up Whats the most studid thing you could do ? Give up your rights and freedom because your enemy blew himself up.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".