ref: 914bf5843f6d52cdca135ab5c4e70ed85f56d54a
parent: a9380fee17a2ec3d809f5495d9d6ddd384b04ba0
author: Janne Grunau <janne-vlc@jannau.net>
date: Tue Oct 2 19:27:26 EDT 2018
frame header: check for arithmetic underflow in tile data parsing Fixes a fuzzing crash with crash-96e2d10fd8effbbcb0c8eedcbe05de50b1582fd2.
--- a/src/obu.c
+++ b/src/obu.c
@@ -1034,6 +1034,8 @@
if ((res = parse_tile_hdr(c, &gb)) < 0)
return res;
off += res;
+ if (off > len + init_off)
+ goto error;
dav1d_ref_inc(in->ref);
c->tile[c->n_tile_data].data.ref = in->ref;
c->tile[c->n_tile_data].data.data = in->data + off;