The spec seems to allow these to be negative Fixes: left shift of negative value -15 Fixes: 392687035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6559804532785152
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/vvc/refs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/vvc/refs.c b/libavcodec/vvc/refs.c index 8d4b7bb35b2..486515d06db 100644 --- a/libavcodec/vvc/refs.c +++ b/libavcodec/vvc/refs.c @@ -147,10 +147,10 @@ static VVCFrame *alloc_frame(VVCContext *s, VVCFrameContext *fc) for (int j = 0; j < frame->ctb_count; j++) frame->rpl_tab[j] = frame->rpl; - win->left_offset = pps->r->pps_scaling_win_left_offset << sps->hshift[CHROMA]; - win->right_offset = pps->r->pps_scaling_win_right_offset << sps->hshift[CHROMA]; - win->top_offset = pps->r->pps_scaling_win_top_offset << sps->vshift[CHROMA]; - win->bottom_offset = pps->r->pps_scaling_win_bottom_offset << sps->vshift[CHROMA]; + win->left_offset = pps->r->pps_scaling_win_left_offset * (1 << sps->hshift[CHROMA]); + win->right_offset = pps->r->pps_scaling_win_right_offset * (1 << sps->hshift[CHROMA]); + win->top_offset = pps->r->pps_scaling_win_top_offset * (1 << sps->vshift[CHROMA]); + win->bottom_offset = pps->r->pps_scaling_win_bottom_offset * (1 << sps->vshift[CHROMA]); frame->ref_width = pps->r->pps_pic_width_in_luma_samples - win->left_offset - win->right_offset; frame->ref_height = pps->r->pps_pic_height_in_luma_samples - win->bottom_offset - win->top_offset; -- 2.48.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
