shithub: dav1d

Download patch

ref: a1e945ca3020ee758a81e78a213c3af41cd4ffcc
parent: a6b94ca9e5cded0070419a02d9cadaa5f45b2d0d
author: Janne Grunau <janne-vlc@jannau.net>
date: Thu Nov 15 05:10:18 EST 2018

obu: tile_group and frame OBUs do not have trailing bits

The number of read bits can be equal to the size of the packet. Fixes a
triggered assert in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5746175664193536. Credits to
oss-fuzz.

--- a/src/obu.c
+++ b/src/obu.c
@@ -1149,7 +1149,7 @@
         // otherwise the overrun check would have fired.
         const unsigned bit_pos = dav1d_get_bits_pos(&gb);
         assert((bit_pos & 7) == 0);
-        assert(pkt_bytelen > (bit_pos >> 3));
+        assert(pkt_bytelen >= (bit_pos >> 3));
         dav1d_ref_inc(in->ref);
         c->tile[c->n_tile_data].data.ref = in->ref;
         c->tile[c->n_tile_data].data.data = in->data + (bit_pos >> 3);