CONFIG_OPTFLOW_REFINEMENT: int16 motion vector overflow

How was the issue detected?

HDR Nova AV2 Verification

What version / commit were you testing with?

55c6df3a

What steps will reproduce the problem?

We are making verification streams for CONFIG_OPTFLOW_REFINEMENT, but have found an integer overflow in the reference code.

The problem is in reconinter.c:

  mv_refined[i * 2].as_mv.row +=
        clamp(vy0[i], -OPFL_MV_DELTA_LIMIT, OPFL_MV_DELTA_LIMIT);

The motion vector is defined as:

typedef struct mv {
  int16_t row;
  int16_t col;
} MV;

The problem occurs when the motion vector is near its largest positive value, and a small positive delta is added. In this case the motion vector wraps around to a large negative value.

Note that in most of the code motion vectors are restricted to the range MV_LOW to MV_UPP which correspond to +- 1<<14, but mv_refined uses the same structure to hold motion vectors multiplied by 2 so the valid range is doubled and int16 overflow can occur.