Google Git
Sign in
aomedia/aom/4aefb9325a25dbc2d818d84c06a976ebd3fe5c7d^!/.
commit
4aefb9325a25dbc2d818d84c06a976ebd3fe5c7d
[log]
author
Wan-Teh Chang <wtc@google.com>
Tue May 28 14:24:57 2024 -0700
committer
Wan-Teh Chang <wtc@google.com>
Tue May 28 14:26:38 2024 -0700
tree
e6c0ace31be447bad637b41f2f631ef8b90a3957
parent
81621c69dca2d5984e2c4999b2911e520c36bb85 [diff]
Detect an invalid row offset get_ls_tile_buffer()

row - offset is used as an array index, so it should not be negative.

Bug: oss-fuzz:68774
Change-Id: I0c075202da0b5007887aafde4e1a55acdd866d08

diff --git a/av1/decoder/decodeframe.c b/av1/decoder/decodeframe.c
index c027308..d256512 100644
--- a/av1/decoder/decodeframe.c
+++ b/av1/decoder/decodeframe.c

@@ -2241,6 +2241,12 @@
   if (tile_copy_mode && (size >> (tile_size_bytes * 8 - 1)) == 1) {
     // The remaining bits in the top byte signal the row offset
     int offset = (size >> (tile_size_bytes - 1) * 8) & 0x7f;
+    if (offset > row) {
+      aom_internal_error(
+          error_info, AOM_CODEC_CORRUPT_FRAME,
+          "Invalid row offset in tile copy mode: row=%d offset=%d", row,
+          offset);
+    }
 
     // Currently, only use tiles in same column as reference tiles.
     copy_data = tile_buffers[row - offset][col].data;