From 5231e89eb9eedc119d4f762469355f83e3628f20 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 2 Aug 2019 23:10:35 +0200
Subject: [PATCH] avcodec/pictordec: Optimize picmemset() for single plane full
 lines

Fixes: Timeout (72sec -> 1sec)
Fixes: 15512/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-5663942342344704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/pictordec.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index 2e6fcdca52..6340902526 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -66,6 +66,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run,
     int xl = *x;
     int yl = *y;
     int planel = *plane;
+    int pixels_per_value = 8/bits_per_plane;
     value   <<= shift;
 
     d = frame->data[0] + yl * frame->linesize[0];
@@ -74,7 +75,7 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run,
         for (j = 8-bits_per_plane; j >= 0; j -= bits_per_plane) {
             d[xl] |= (value >> j) & mask;
             xl += 1;
-            if (xl == s->width) {
+            while (xl == s->width) {
                 yl -= 1;
                 xl = 0;
                 if (yl < 0) {
@@ -86,6 +87,19 @@ static void picmemset(PicContext *s, AVFrame *frame, unsigned value, int run,
                    mask  <<= bits_per_plane;
                 }
                 d = frame->data[0] + yl * frame->linesize[0];
+                if (s->nb_planes == 1 &&
+                    run*pixels_per_value >= s->width &&
+                    pixels_per_value < s->width &&
+                    s->width % pixels_per_value == 0
+                    ) {
+                    for (; xl < pixels_per_value; xl ++) {
+                        j = (j < bits_per_plane ? 8 : j) - bits_per_plane;
+                        d[xl] |= (value >> j) & mask;
+                    }
+                    av_memcpy_backptr(d+xl, pixels_per_value, s->width - xl);
+                    run -= s->width / pixels_per_value;
+                    xl = s->width;
+                }
             }
         }
         run--;