On Mon, Feb 03, 2025 at 08:05:19AM +0000, Frank Plowman wrote: > On 02/02/2025 21:17, Michael Niedermayer wrote: > > The spec seems to allow these to be negative > > > > Fixes: left shift of negative value -15 > > Fixes: 392687035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-6559804532785152 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer > > --- > > libavcodec/vvc/refs.c | 8 ++++---- > > 1 file changed, 4 insertions(+), 4 deletions(-) > > > > diff --git a/libavcodec/vvc/refs.c b/libavcodec/vvc/refs.c > > index 8d4b7bb35b2..486515d06db 100644 > > --- a/libavcodec/vvc/refs.c > > +++ b/libavcodec/vvc/refs.c > > @@ -147,10 +147,10 @@ static VVCFrame *alloc_frame(VVCContext *s, VVCFrameContext *fc) > > for (int j = 0; j < frame->ctb_count; j++) > > frame->rpl_tab[j] = frame->rpl; > > > > - win->left_offset = pps->r->pps_scaling_win_left_offset << sps->hshift[CHROMA]; > > - win->right_offset = pps->r->pps_scaling_win_right_offset << sps->hshift[CHROMA]; > > - win->top_offset = pps->r->pps_scaling_win_top_offset << sps->vshift[CHROMA]; > > - win->bottom_offset = pps->r->pps_scaling_win_bottom_offset << sps->vshift[CHROMA]; > > + win->left_offset = pps->r->pps_scaling_win_left_offset * (1 << sps->hshift[CHROMA]); > > + win->right_offset = pps->r->pps_scaling_win_right_offset * (1 << sps->hshift[CHROMA]); > > + win->top_offset = pps->r->pps_scaling_win_top_offset * (1 << sps->vshift[CHROMA]); > > + win->bottom_offset = pps->r->pps_scaling_win_bottom_offset * (1 << sps->vshift[CHROMA]); > > frame->ref_width = pps->r->pps_pic_width_in_luma_samples - win->left_offset - win->right_offset; > > frame->ref_height = pps->r->pps_pic_height_in_luma_samples - win->bottom_offset - win->top_offset; > > > > This patch LGTM. will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB During times of universal deceit, telling the truth becomes a revolutionary act. -- George Orwell