Commit c5d283bd authored by Janne Grunau's avatar Janne Grunau
Browse files

tile: check for arithmetic underflow in tile setup

Fixes a fuzzing crash in crash-5f55445c56a36f28259bc742dd08b2c5ba42045d.
parent 1b5d3359
Pipeline #907 passed with stage
in 1 minute and 54 seconds
......@@ -2513,6 +2513,7 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
if (j == f->tile[i].end - empty_tiles) {
tile_sz = size;
} else {
if (f->frame_hdr.tiling.n_bytes > size) goto error;
tile_sz = 0;
for (int k = 0; k < f->frame_hdr.tiling.n_bytes; k++)
tile_sz |= *data++ << (k * 8);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment