diff options
| author | Janne Grunau <janne-vlc@jannau.net> | 2018-10-03 12:41:52 +0300 |
|---|---|---|
| committer | Janne Grunau <janne-vlc@jannau.net> | 2018-10-03 16:31:26 +0300 |
| commit | a9380fee17a2ec3d809f5495d9d6ddd384b04ba0 (patch) | |
| tree | be6b92e3957cf90bdb570ffde02077b6cfc5e4c7 | |
| parent | a537c5acd9c4bd3b37c83b5783b3f3414fdf907a (diff) | |
frame header: fix tile size parsing for non-uniform tiles
Spotted by David Michael Barr <b@rr-dav.id.au>
Fixes a fuzzing crash in crash-96e2d10fd8effbbcb0c8eedcbe05de50b1582fd2.
| -rw-r--r-- | src/obu.c | 8 |
1 files changed, 4 insertions, 4 deletions
@@ -461,8 +461,8 @@ static int parse_frame_hdr(Dav1dContext *const c, GetBits *const gb, hdr->tiling.cols = 0; int widest_tile = 0, max_tile_area_sb = sbw * sbh; for (int sbx = 0; sbx < sbw; hdr->tiling.cols++) { - const int tile_w = get_uniform(gb, imin(sbw - sbx, - max_tile_width_sb)); + const int tile_w = 1 + get_uniform(gb, imin(sbw - sbx, + max_tile_width_sb)); hdr->tiling.col_start_sb[hdr->tiling.cols] = sbx; sbx += tile_w; widest_tile = imax(widest_tile, tile_w); @@ -473,8 +473,8 @@ static int parse_frame_hdr(Dav1dContext *const c, GetBits *const gb, hdr->tiling.rows = 0; for (int sby = 0; sby < sbh; hdr->tiling.rows++) { - const int tile_h = get_uniform(gb, imin(sbh - sby, - max_tile_height_sb)); + const int tile_h = 1 + get_uniform(gb, imin(sbh - sby, + max_tile_height_sb)); hdr->tiling.row_start_sb[hdr->tiling.rows] = sby; sby += tile_h; } |