It is a requirement of bitstream conformance that num_cr_points is less than or equal to 10.
It is a requirement of bitstream conformance that num_cb_points is less than or equal to 10.
Signed-off-by: James Almer <jamrial@gmail.com>
"It is a requirement of bitstream conformance that num_y_points is less than or equal to 14."
Fixes: index 24 out of bounds for type 'uint8_t [24]'
Fixes: 19282/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5747424845103104
Note, also needs a23dd33606
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: jamrial
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Taking into account the code
fb(2, ar_coeff_lag);
num_pos_luma = 2 * current->ar_coeff_lag * (current->ar_coeff_lag + 1);
if (current->num_y_points)
num_pos_chroma = num_pos_luma + 1;
else
num_pos_chroma = num_pos_luma;
Max value for ar_coeff_lag is 3 (two bits), for num_pos_luma 24, and for
num_pos_chroma 25.
Both ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 may have up to
num_pos_chroma values.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
rename enable_intraintra_compound to enable_interintra_compound,
which keep same as AV1 sepc(v1.0.0-errata1).
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
Signed-off-by: James Almer <jamrial@gmail.com>
In scearios where a Temporal Unit is written right after reading it using the same
CBS context (av1_metadata, av1_frame_merge, etc), the reference frame state used
by the writer must not be the state that's the result of the reader having already
parsed the current frame in question.
This fixes writing Switch frames, and frames using short ref signaling.
Signed-off-by: James Almer <jamrial@gmail.com>
All cbs-functions to write units share a common pattern:
1. They check whether they have a write buffer (that is used to store
the unit's data until the needed size becomes known after writing the
unit when a dedicated buffer will be allocated).
2. They use this buffer for a PutBitContext.
3. The (codec-specific) writing takes place through the PutBitContext.
4. The return value is checked. AVERROR(ENOSPC) here always indicates
that the buffer was too small and leads to a reallocation of said
buffer.
5. The final buffer will be allocated and the data copied.
This commit factors this common code out in a single function in cbs.c.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
delta_frame_id_minus1 is not a single value in the bitstream, and can
store values up to 17 bits wide.
Fixes parsing files with frame ids.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
buffer_delay_length_minus_1 is five bits long, meaning decode_buffer_delay and
encoder_buffer_delay can have values up to 32 bits long.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
found_ref is not a single value in the bitstream. Fixes parsing files with
frame size changes.
Based on code from cbs_vp9.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
James Almer
Michael Niedermayer
Fei Wang
Andreas Rheinhardt
Mark Thompson