Commit 914bf584 authored by Janne Grunau's avatar Janne Grunau

frame header: check for arithmetic underflow in tile data parsing

Fixes a fuzzing crash with crash-96e2d10fd8effbbcb0c8eedcbe05de50b1582fd2.
parent a9380fee
...@@ -1034,6 +1034,8 @@ int parse_obus(Dav1dContext *const c, Dav1dData *const in) { ...@@ -1034,6 +1034,8 @@ int parse_obus(Dav1dContext *const c, Dav1dData *const in) {
if ((res = parse_tile_hdr(c, &gb)) < 0) if ((res = parse_tile_hdr(c, &gb)) < 0)
return res; return res;
off += res; off += res;
if (off > len + init_off)
goto error;
dav1d_ref_inc(in->ref); dav1d_ref_inc(in->ref);
c->tile[c->n_tile_data].data.ref = in->ref; c->tile[c->n_tile_data].data.ref = in->ref;
c->tile[c->n_tile_data].data.data = in->data + off; c->tile[c->n_tile_data].data.data = in->data + off;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment