Commit 914bf584 authored by Janne Grunau's avatar Janne Grunau

frame header: check for arithmetic underflow in tile data parsing

Fixes a fuzzing crash with crash-96e2d10fd8effbbcb0c8eedcbe05de50b1582fd2.
parent a9380fee
......@@ -1034,6 +1034,8 @@ int parse_obus(Dav1dContext *const c, Dav1dData *const in) {
if ((res = parse_tile_hdr(c, &gb)) < 0)
return res;
off += res;
if (off > len + init_off)
goto error;
c->tile[c->n_tile_data].data.ref = in->ref;
c->tile[c->n_tile_data] = in->data + off;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment