Commit a1e945ca authored by Janne Grunau's avatar Janne Grunau

obu: tile_group and frame OBUs do not have trailing bits

The number of read bits can be equal to the size of the packet. Fixes a
triggered assert in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5746175664193536. Credits to
oss-fuzz.
parent a6b94ca9
......@@ -1149,7 +1149,7 @@ int dav1d_parse_obus(Dav1dContext *const c, Dav1dData *const in) {
// otherwise the overrun check would have fired.
const unsigned bit_pos = dav1d_get_bits_pos(&gb);
assert((bit_pos & 7) == 0);
assert(pkt_bytelen > (bit_pos >> 3));
assert(pkt_bytelen >= (bit_pos >> 3));
dav1d_ref_inc(in->ref);
c->tile[c->n_tile_data].data.ref = in->ref;
c->tile[c->n_tile_data].data.data = in->data + (bit_pos >> 3);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment