Commit 1bb1ec21 authored by Janne Grunau's avatar Janne Grunau Committed by Ronald S. Bultje
Browse files

fix unwanted integer promotion in tile data size parsing.

Fixes an undefined left shift in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5717082881130496. Credits to
oss-fuzz. Fixes #110
parent 0bdd992e
Pipeline #1339 passed with stage
in 4 minutes and 29 seconds
......@@ -2608,7 +2608,7 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
if (f->frame_hdr.tiling.n_bytes > size) goto error;
tile_sz = 0;
for (unsigned k = 0; k < f->frame_hdr.tiling.n_bytes; k++)
tile_sz |= *data++ << (k * 8);
tile_sz |= (unsigned)*data++ << (k * 8);
tile_sz++;
size -= f->frame_hdr.tiling.n_bytes;
if (tile_sz > size) goto error;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment