shithub: dav1d

Download patch

ref: a9380fee17a2ec3d809f5495d9d6ddd384b04ba0
parent: a537c5acd9c4bd3b37c83b5783b3f3414fdf907a
author: Janne Grunau <janne-vlc@jannau.net>
date: Wed Oct 3 07:41:52 EDT 2018 

frame header: fix tile size parsing for non-uniform tiles

Spotted by David Michael Barr <b@rr-dav.id.au>
Fixes a fuzzing crash in crash-96e2d10fd8effbbcb0c8eedcbe05de50b1582fd2.


--- a/src/obu.c
+++ b/src/obu.c
@@ -461,8 +461,8 @@
         hdr->tiling.cols = 0;
         int widest_tile = 0, max_tile_area_sb = sbw * sbh;
         for (int sbx = 0; sbx < sbw; hdr->tiling.cols++) {
-            const int tile_w = get_uniform(gb, imin(sbw - sbx,
-                                                    max_tile_width_sb));
+            const int tile_w = 1 + get_uniform(gb, imin(sbw - sbx,
+                                                        max_tile_width_sb));
             hdr->tiling.col_start_sb[hdr->tiling.cols] = sbx;
             sbx += tile_w;
             widest_tile = imax(widest_tile, tile_w);
@@ -473,8 +473,8 @@
 
         hdr->tiling.rows = 0;
         for (int sby = 0; sby < sbh; hdr->tiling.rows++) {
-            const int tile_h = get_uniform(gb, imin(sbh - sby,
-                                                    max_tile_height_sb));
+            const int tile_h = 1 + get_uniform(gb, imin(sbh - sby,
+                                                        max_tile_height_sb));
             hdr->tiling.row_start_sb[hdr->tiling.rows] = sby;
             sby += tile_h;
         }