Commit 1bb1ec21 authored by Janne Grunau's avatar Janne Grunau Committed by Ronald S. Bultje

fix unwanted integer promotion in tile data size parsing.

Fixes an undefined left shift in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5717082881130496. Credits to
oss-fuzz. Fixes #110
parent 0bdd992e
......@@ -2608,7 +2608,7 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
if (f->frame_hdr.tiling.n_bytes > size) goto error;
tile_sz = 0;
for (unsigned k = 0; k < f->frame_hdr.tiling.n_bytes; k++)
tile_sz |= *data++ << (k * 8);
tile_sz |= (unsigned)*data++ << (k * 8);
tile_sz++;
size -= f->frame_hdr.tiling.n_bytes;
if (tile_sz > size) goto error;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment