decode_b: make sure seg_id is valid

Fixes heap overflow with david-fuzzing-data:artifacts/crash-5c3b00780bb24ac2e123c3f172b1e4829bc98aa5.

decode_b: make sure seg_id is valid
Fixes heap overflow with david-fuzzing-data:artifacts/crash-5c3b00780bb24ac2e123c3f172b1e4829bc98aa5.
57347c19 · Janne Grunau · f7830788 · 57347c19
Commit 57347c19 authored Oct 06, 2018 by Janne Grunau
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

src/decode.c src/decode.c +2 -0

No files found.
--- a/src/decode.c
+++ b/src/decode.c
@@ -773,6 +773,7 @@ static void decode_b(Dav1dTileContext *const t,
                b->seg_id = neg_deinterleave(diff, pred_seg_id,
                                             last_active_seg_id + 1);
                if (b->seg_id > last_active_seg_id) b->seg_id = 0; // error?
+                if (b->seg_id >= NUM_SEGMENTS) b->seg_id = 0; // error?
            }

            if (DEBUG_BLOCK_INFO)
@@ -821,6 +822,7 @@ static void decode_b(Dav1dTileContext *const t,
                                             last_active_seg_id + 1);
                if (b->seg_id > last_active_seg_id) b->seg_id = 0; // error?
            }
+            if (b->seg_id >= NUM_SEGMENTS) b->seg_id = 0; // error?
        }

        if (DEBUG_BLOCK_INFO)