diff options
author | Henrik Gramner <gramner@twoorioles.com> | 2024-03-28 01:27:48 +0100 |
---|---|---|
committer | Henrik Gramner <gramner@twoorioles.com> | 2024-03-28 01:41:28 +0100 |
commit | 076955a1534bb49325a2252f6a1f494674e5363a (patch) | |
tree | c70d5e61bddd489c2c05e22529212efea9c2a178 | |
parent | 3d98a242a055438ca76020434a530ebe074fa892 (diff) | |
download | libdav1d-076955a1534bb49325a2252f6a1f494674e5363a.tar.gz |
refmvs: Fix buffer overread in save_tmvs() asm
The refmvs_block struct is only 12 bytes large but it's accessed
using 16-byte unaligned loads in asm.
In order to avoid reading past the end of the allocated buffer
we therefore need to pad the allocation size by 4 bytes.
-rw-r--r-- | src/refmvs.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/refmvs.c b/src/refmvs.c index 200afeb..1da024b 100644 --- a/src/refmvs.c +++ b/src/refmvs.c @@ -817,7 +817,9 @@ int dav1d_refmvs_init_frame(refmvs_frame *const rf, if (r_stride != rf->r_stride || n_tile_rows != rf->n_tile_rows) { if (rf->r) dav1d_freep_aligned(&rf->r); const int uses_2pass = n_tile_threads > 1 && n_frame_threads > 1; - rf->r = dav1d_alloc_aligned(ALLOC_REFMVS, sizeof(*rf->r) * 35 * r_stride * n_tile_rows * (1 + uses_2pass), 64); + /* sizeof(refmvs_block) == 12 but it's accessed using 16-byte loads in asm, + * so add 4 bytes of padding to avoid buffer overreads. */ + rf->r = dav1d_alloc_aligned(ALLOC_REFMVS, sizeof(*rf->r) * 35 * r_stride * n_tile_rows * (1 + uses_2pass) + 4, 64); if (!rf->r) return DAV1D_ERR(ENOMEM); rf->r_stride = r_stride; } |