From a9380fee17a2ec3d809f5495d9d6ddd384b04ba0 Mon Sep 17 00:00:00 2001
From: Janne Grunau <janne-vlc@jannau.net>
Date: Wed, 3 Oct 2018 11:41:52 +0200
Subject: frame header: fix tile size parsing for non-uniform tiles

Spotted by David Michael Barr <b@rr-dav.id.au>
Fixes a fuzzing crash in crash-96e2d10fd8effbbcb0c8eedcbe05de50b1582fd2.
---
 src/obu.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/obu.c b/src/obu.c
index 0ea7eaf..93bf519 100644
--- a/src/obu.c
+++ b/src/obu.c
@@ -461,8 +461,8 @@ static int parse_frame_hdr(Dav1dContext *const c, GetBits *const gb,
         hdr->tiling.cols = 0;
         int widest_tile = 0, max_tile_area_sb = sbw * sbh;
         for (int sbx = 0; sbx < sbw; hdr->tiling.cols++) {
-            const int tile_w = get_uniform(gb, imin(sbw - sbx,
-                                                    max_tile_width_sb));
+            const int tile_w = 1 + get_uniform(gb, imin(sbw - sbx,
+                                                        max_tile_width_sb));
             hdr->tiling.col_start_sb[hdr->tiling.cols] = sbx;
             sbx += tile_w;
             widest_tile = imax(widest_tile, tile_w);
@@ -473,8 +473,8 @@ static int parse_frame_hdr(Dav1dContext *const c, GetBits *const gb,
 
         hdr->tiling.rows = 0;
         for (int sby = 0; sby < sbh; hdr->tiling.rows++) {
-            const int tile_h = get_uniform(gb, imin(sbh - sby,
-                                                    max_tile_height_sb));
+            const int tile_h = 1 + get_uniform(gb, imin(sbh - sby,
+                                                        max_tile_height_sb));
             hdr->tiling.row_start_sb[hdr->tiling.rows] = sby;
             sby += tile_h;
         }
-- 
cgit v1.2.3