ref: 1bb1ec21eae5934b06323f2e3dfe9cac8b41c5ed
parent: 0bdd992ee117e0074854916710f198fce7f772f0
author: Janne Grunau <janne-vlc@jannau.net>
date: Thu Oct 25 05:32:38 EDT 2018
fix unwanted integer promotion in tile data size parsing. Fixes an undefined left shift in clusterfuzz-testcase-minimized-dav1d_fuzzer-5717082881130496. Credits to oss-fuzz. Fixes #110
--- a/src/decode.c
+++ b/src/decode.c
@@ -2608,7 +2608,7 @@
if (f->frame_hdr.tiling.n_bytes > size) goto error;
tile_sz = 0;
for (unsigned k = 0; k < f->frame_hdr.tiling.n_bytes; k++)
- tile_sz |= *data++ << (k * 8);
+ tile_sz |= (unsigned)*data++ << (k * 8);
tile_sz++;
size -= f->frame_hdr.tiling.n_bytes;
if (tile_sz > size) goto error;