In scearios where a Temporal Unit is written right after reading it using the same
CBS context (av1_metadata, av1_frame_merge, etc), the reference frame state used
by the writer must not be the state that's the result of the reader having already
parsed the current frame in question.
This fixes writing Switch frames, and frames using short ref signaling.
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 4e2bef6a82b356772a5919c51c9be1530268bd79)
"It is a requirement of bitstream conformance that num_y_points is less than or equal to 14."
Fixes: index 24 out of bounds for type 'uint8_t [24]'
Fixes: 19282/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5747424845103104
Note, also needs a23dd33606d5
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: jamrial
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bbe27890ff7e31e74d024a17123cb073720f2486)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Taking into account the code
fb(2, ar_coeff_lag);
num_pos_luma = 2 * current->ar_coeff_lag * (current->ar_coeff_lag + 1);
if (current->num_y_points)
num_pos_chroma = num_pos_luma + 1;
else
num_pos_chroma = num_pos_luma;
Max value for ar_coeff_lag is 3 (two bits), for num_pos_luma 24, and for
num_pos_chroma 25.
Both ar_coeffs_cb_plus_128 and ar_coeffs_cr_plus_128 may have up to
num_pos_chroma values.
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit a23dd33606d5a711fd632383d81a1d6c60082e0f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
delta_frame_id_minus1 is not a single value in the bitstream, and can
store values up to 17 bits wide.
Fixes parsing files with frame ids.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 064f9505f49816650516c7afe93e43d8f547891a)
The valid range is -255 to 255.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 79831f4531d98c3c1eab96c10f1135d08abef5f3)
buffer_delay_length_minus_1 is five bits long, meaning decode_buffer_delay and
encoder_buffer_delay can have values up to 32 bits long.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 89a0d33e3a53e8edefd734b131a7035d13052947)
found_ref is not a single value in the bitstream. Fixes parsing files with
frame size changes.
Based on code from cbs_vp9.
Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
