On Sat, Aug 03, 2019 at 12:43:32PM +1000, Peter Ross wrote: > On Sat, Aug 03, 2019 at 01:49:54AM +0200, Michael Niedermayer wrote: > > Fixes: Timeout (72sec -> 1sec) > > Fixes: > > 15512/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5663942342344704 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <[email protected]> > > --- > > libavcodec/pictordec.c | 16 +++++++++++++++- > > 1 file changed, 15 insertions(+), 1 deletion(-) > > > > diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c > > index 2e6fcdca52..5beb03cd5d 100644 > > --- a/libavcodec/pictordec.c > > +++ b/libavcodec/pictordec.c > > @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, > > unsigned value, int run, > > int xl = *x; > > int yl = *y; > > int planel = *plane; > > + int pixels_per_value = 8/bits_per_plane; > > value <<= shift; > > > > d = frame->data[0] + yl * frame->linesize[0]; > > @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, > > unsigned value, int run, > > for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { > > d[xl] |= (value >> j) & mask; > > xl += 1; > > - if (xl == s->width) { > > + while (xl == s->width) { > > yl -= 1; > > xl = 0; > > if (yl < 0) { > > @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, > > unsigned value, int run, > > mask <<= bits_per_plane; > > } > > d = frame->data[0] + yl * frame->linesize[0]; > > + if (s->nb_planes == 1 && > > + run*pixels_per_value >= s->width && > > + pixels_per_value < s->width) { > > + int j; > > + for (j = 8-bits_per_plane; j >= 0; j -= > > bits_per_plane) { > > suggest naming it 'k' to avoid confusion with earlier for loop.
actually, looking at this again, i think we should use the same j,
This also now excludes s->width % pixels_per_value != 0 for which i suspect
there
is no testcase. Ill add support for this in case the fuzzer finds a case
that way we then also have a testcase for implementing that corner case.
heres the new code:
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned
value, int run,
int xl = *x;
int yl = *y;
int planel = *plane;
+ int pixels_per_value = 8/bits_per_plane;
value <<= shift;
d = frame->data[0] + yl * frame->linesize[0];
@@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned
value, int run,
for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) {
d[xl] |= (value >> j) & mask;
xl += 1;
- if (xl == s->width) {
+ while (xl == s->width) {
yl -= 1;
xl = 0;
if (yl < 0) {
@@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame,
unsigned value, int run,
mask <<= bits_per_plane;
}
d = frame->data[0] + yl * frame->linesize[0];
+ if (s->nb_planes == 1 &&
+ run*pixels_per_value >= s->width &&
+ pixels_per_value < s->width &&
+ s->width % pixels_per_value == 0
+ ) {
+ for (; xl < pixels_per_value; xl ++) {
+ j = (j < bits_per_plane ? 8 : j) - bits_per_plane;
+ d[xl] |= (value >> j) & mask;
+ }
+ av_memcpy_backptr(d+xl, pixels_per_value, s->width - xl);
+ run -= s->width / pixels_per_value;
+ xl = s->width;
+ }
}
}
run--;
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
The greatest way to live with honor in this world is to be what we pretend
to be. -- Socrates
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
