Fixes: Timeout (72sec -> 1sec) Fixes: 15512/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5663942342344704
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/pictordec.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 2e6fcdca52..5beb03cd5d 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, int xl = *x; int yl = *y; int planel = *plane; + int pixels_per_value = 8/bits_per_plane; value <<= shift; d = frame->data[0] + yl * frame->linesize[0]; @@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { d[xl] |= (value >> j) & mask; xl += 1; - if (xl == s->width) { + while (xl == s->width) { yl -= 1; xl = 0; if (yl < 0) { @@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run, mask <<= bits_per_plane; } d = frame->data[0] + yl * frame->linesize[0]; + if (s->nb_planes == 1 && + run*pixels_per_value >= s->width && + pixels_per_value < s->width) { + int j; + for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) { + d[xl] |= (value >> j) & mask; + xl += 1; + } + av_assert0(xl == pixels_per_value); + av_memcpy_backptr(d+xl, pixels_per_value, s->width - xl); + run -= (s->width + pixels_per_value - 1) / pixels_per_value; + xl = s->width; + } } } run--; -- 2.22.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
