File dav1d-CVE-2024-1580.patch of Package dav1d.32683

From 2b475307dc11be9a1c3cc4358102c76a7f386a51 Mon Sep 17 00:00:00 2001
From: Henrik Gramner <gramner@twoorioles.com>
Date: Tue, 21 Nov 2023 20:47:50 +0100
Subject: [PATCH] Fix tile_start_off calculations for extremely large frame
 sizes

The tile start offset, in pixels, can exceed the range of a signed int.
---
 src/decode.c   | 13 +++++++------
 src/internal.h |  2 +-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff -urp dav1d-1.0.0.orig/src/decode.c dav1d-1.0.0/src/decode.c
--- dav1d-1.0.0.orig/src/decode.c	2022-03-18 08:31:21.000000000 -0500
+++ dav1d-1.0.0/src/decode.c	2024-02-21 13:48:07.606342435 -0600
@@ -2618,7 +2618,7 @@ static void setup_tile(Dav1dTileState *c
                        const Dav1dFrameContext *const f,
                        const uint8_t *const data, const size_t sz,
                        const int tile_row, const int tile_col,
-                       const int tile_start_off)
+                       const unsigned tile_start_off)
 {
     const int col_sb_start = f->frame_hdr->tiling.col_start_sb[tile_col];
     const int col_sb128_start = col_sb_start >> !f->seq_hdr->sb128;
@@ -2969,15 +2969,16 @@ int dav1d_decode_frame_init(Dav1dFrameCo
     const uint8_t *const size_mul = ss_size_mul[f->cur.p.layout];
     const int hbd = !!f->seq_hdr->hbd;
     if (c->n_fc > 1) {
+        const unsigned sb_step4 = f->sb_step * 4;
         int tile_idx = 0;
         for (int tile_row = 0; tile_row < f->frame_hdr->tiling.rows; tile_row++) {
-            int row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
-                          f->sb_step * 4 * f->sb128w * 128;
-            int b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
-                          f->frame_hdr->tiling.row_start_sb[tile_row]) * f->sb_step * 4;
+            const unsigned row_off = f->frame_hdr->tiling.row_start_sb[tile_row] *
+                                     sb_step4 * f->sb128w * 128;
+            const unsigned b_diff = (f->frame_hdr->tiling.row_start_sb[tile_row + 1] -
+                                     f->frame_hdr->tiling.row_start_sb[tile_row]) * sb_step4;
             for (int tile_col = 0; tile_col < f->frame_hdr->tiling.cols; tile_col++) {
                 f->frame_thread.tile_start_off[tile_idx++] = row_off + b_diff *
-                    f->frame_hdr->tiling.col_start_sb[tile_col] * f->sb_step * 4;
+                    f->frame_hdr->tiling.col_start_sb[tile_col] * sb_step4;
             }
         }
 
diff -urp dav1d-1.0.0.orig/src/internal.h dav1d-1.0.0/src/internal.h
--- dav1d-1.0.0.orig/src/internal.h	2022-03-18 08:31:21.000000000 -0500
+++ dav1d-1.0.0/src/internal.h	2024-02-21 13:48:07.606342435 -0600
@@ -292,7 +292,7 @@ struct Dav1dFrameContext {
         int prog_sz;
         int pal_sz, pal_idx_sz, cf_sz;
         // start offsets per tile
-        int *tile_start_off;
+        unsigned *tile_start_off;
     } frame_thread;
 
     // loopfilter
Places

File dav1d-CVE-2024-1580.patch of Package dav1d.32683

Places
