diff options
author | Janne Grunau <janne-vlc@jannau.net> | 2018-11-15 12:10:18 +0300 |
---|---|---|
committer | Janne Grunau <janne-vlc@jannau.net> | 2018-11-15 12:10:18 +0300 |
commit | a1e945ca3020ee758a81e78a213c3af41cd4ffcc (patch) | |
tree | 0c9cbd37c3e390f9bcc92b2eff79428d47b5ef1c | |
parent | a6b94ca9e5cded0070419a02d9cadaa5f45b2d0d (diff) |
obu: tile_group and frame OBUs do not have trailing bits
The number of read bits can be equal to the size of the packet. Fixes a
triggered assert in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5746175664193536. Credits to
oss-fuzz.
-rw-r--r-- | src/obu.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -1149,7 +1149,7 @@ int dav1d_parse_obus(Dav1dContext *const c, Dav1dData *const in) { // otherwise the overrun check would have fired. const unsigned bit_pos = dav1d_get_bits_pos(&gb); assert((bit_pos & 7) == 0); - assert(pkt_bytelen > (bit_pos >> 3)); + assert(pkt_bytelen >= (bit_pos >> 3)); dav1d_ref_inc(in->ref); c->tile[c->n_tile_data].data.ref = in->ref; c->tile[c->n_tile_data].data.data = in->data + (bit_pos >> 3); |