ref: c5d283bd8c298143188e454e47a2ce78acc5f265
parent: 1b5d335959c75f477ca4566cf72158f426ea74f8
author: Janne Grunau <janne-vlc@jannau.net>
date: Wed Oct 3 10:36:20 EDT 2018
tile: check for arithmetic underflow in tile setup Fixes a fuzzing crash in crash-5f55445c56a36f28259bc742dd08b2c5ba42045d.
--- a/src/decode.c
+++ b/src/decode.c
@@ -2513,6 +2513,7 @@
if (j == f->tile[i].end - empty_tiles) {tile_sz = size;
} else {+ if (f->frame_hdr.tiling.n_bytes > size) goto error;
tile_sz = 0;
for (int k = 0; k < f->frame_hdr.tiling.n_bytes; k++)
tile_sz |= *data++ << (k * 8);