OSV-2022-674: dav1d: use of uninitialized value in cdef_filter_block_c

https://bugs.webkit.org/show_bug.cgi?id=269405 <rdar://122849398> Reviewed by Youenn Fablet. Merge dav1d upstream commit a3a55b18494f5dd1e34f289298f78ffa4f32a25d. * Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/thread_task.c: (create_filter_sbrow): Canonical link: https://commits.webkit.org/272448.565@safari-7618-branch
WebKit · Feb 15, 2024 · 8547ba1 · 8547ba1
1 parent 9d0f58f
commit 8547ba1
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/thread_task.c b/Source/WebCore/PAL/ThirdParty/libavif/ThirdParty/dav1d/src/thread_task.c
@@ -192,13 +192,14 @@ static int create_filter_sbrow(Dav1dFrameContext *const f,
         const int prog_sz = ((f->sbh + 31) & ~31) >> 5;
         if (prog_sz > f->frame_thread.prog_sz) {
             atomic_uint *const prog = realloc(f->frame_thread.frame_progress,
-                                              prog_sz * 2 * sizeof(*prog));
+                                              2 * prog_sz * sizeof(*prog));
             if (!prog) return -1;
             f->frame_thread.frame_progress = prog;
             f->frame_thread.copy_lpf_progress = prog + prog_sz;
             f->frame_thread.prog_sz = prog_sz;
         }
-        memset(f->frame_thread.frame_progress, 0, prog_sz * 2 * sizeof(atomic_uint));
+        memset(f->frame_thread.frame_progress, 0, prog_sz * sizeof(atomic_uint));
+        memset(f->frame_thread.copy_lpf_progress, 0, prog_sz * sizeof(atomic_uint));
         atomic_store(&f->frame_thread.deblock_progress, 0);
     }
     f->frame_thread.next_tile_row[pass & 1] = 0;