ref: a1e945ca3020ee758a81e78a213c3af41cd4ffcc
parent: a6b94ca9e5cded0070419a02d9cadaa5f45b2d0d
author: Janne Grunau <janne-vlc@jannau.net>
date: Thu Nov 15 05:10:18 EST 2018
obu: tile_group and frame OBUs do not have trailing bits The number of read bits can be equal to the size of the packet. Fixes a triggered assert in clusterfuzz-testcase-minimized-dav1d_fuzzer-5746175664193536. Credits to oss-fuzz.
--- a/src/obu.c
+++ b/src/obu.c
@@ -1149,7 +1149,7 @@
// otherwise the overrun check would have fired.
const unsigned bit_pos = dav1d_get_bits_pos(&gb);
assert((bit_pos & 7) == 0);
- assert(pkt_bytelen > (bit_pos >> 3));
+ assert(pkt_bytelen >= (bit_pos >> 3));
dav1d_ref_inc(in->ref);
c->tile[c->n_tile_data].data.ref = in->ref;
c->tile[c->n_tile_data].data.data = in->data + (bit_pos >> 3);