read_tile_info: Validate context_update_tile_id.
context_update_tile_id should be less than the number of tiles.
BUG=aomedia:2090
BUG=oss-fuzz:9720
Change-Id: Ic02900ec50dc8f4af6dea3678f49e1bec41a770c
(cherry picked from commit 7c24185d7b45a1795fcfa5f33b912bd725f0ab33)
diff --git a/av1/decoder/decodeframe.c b/av1/decoder/decodeframe.c
index adddb63..da43442 100644
--- a/av1/decoder/decodeframe.c
+++ b/av1/decoder/decodeframe.c
@@ -2344,6 +2344,10 @@
// tile to use for cdf update
cm->context_update_tile_id =
aom_rb_read_literal(rb, cm->log2_tile_rows + cm->log2_tile_cols);
+ if (cm->context_update_tile_id >= cm->tile_rows * cm->tile_cols) {
+ aom_internal_error(&cm->error, AOM_CODEC_CORRUPT_FRAME,
+ "Invalid context_update_tile_id");
+ }
// tile size magnitude
pbi->tile_size_bytes = aom_rb_read_literal(rb, 2) + 1;
}
@@ -5249,6 +5253,7 @@
if (!xd->corrupted) {
if (cm->refresh_frame_context == REFRESH_FRAME_CONTEXT_BACKWARD) {
+ assert(cm->context_update_tile_id < pbi->allocated_tiles);
*cm->fc = pbi->tile_data[cm->context_update_tile_id].tctx;
av1_reset_cdf_symbol_counters(cm->fc);
}