commit bd7b9998510d6d8bb9c6804cbfcabf5b3579935b
author Wan-Teh Chang <wtc@google.com> Wed Jun 19 16:34:02 2019 -0700
committer Wan-Teh Chang <wtc@google.com> Wed Jun 19 16:34:02 2019 -0700
tree 4a7add4feea901a000cfff9e9d387f7fff77b32e
parent 0a121a9b1131f12c0bf218b2cfa15db162b28f26

Check if tg_end is less than NumTiles.

The tg_end field of the last tile group is equal to NumTiles - 1.
Therefore, the tg_end field of any tile group must be less than
NumTiles, even though this requirement is not explicitly stated in the
AV1 spec.

BUG=oss-fuzz:15363

Change-Id: I278ad517ad9813d242fd51abacb564019646b4bb

av1/decoder/obu.c

diff --git a/av1/decoder/obu.c b/av1/decoder/obu.c
index ef7619a..e41fed4 100644
--- a/av1/decoder/obu.c
+++ b/av1/decoder/obu.c
@@ -301,8 +301,16 @@
     *end_tile = aom_rb_read_literal(rb, tile_bits);
   }
   if (*start_tile > *end_tile) {
+    aom_internal_error(
+        &cm->error, AOM_CODEC_CORRUPT_FRAME,
+        "tg_end (%d) must be greater than or equal to tg_start (%d)", *end_tile,
+        *start_tile);
+    return -1;
+  }
+  if (*end_tile >= num_tiles) {
     aom_internal_error(&cm->error, AOM_CODEC_CORRUPT_FRAME,
-                       "tg_end must be greater than or equal to tg_start");
+                       "tg_end (%d) must be less than NumTiles (%d)", *end_tile,
+                       num_tiles);
     return -1;
   }
 

test/invalid_file_test.cc

diff --git a/test/invalid_file_test.cc b/test/invalid_file_test.cc
index c2f128c..470dfe7 100644
--- a/test/invalid_file_test.cc
+++ b/test/invalid_file_test.cc
@@ -143,6 +143,7 @@
   { 1, "invalid-oss-fuzz-11477.ivf", NULL },
   { 1, "invalid-oss-fuzz-11479.ivf", "invalid-oss-fuzz-11479.ivf.res.2" },
   { 1, "invalid-oss-fuzz-11523.ivf", "invalid-oss-fuzz-11523.ivf.res.2" },
+  { 4, "invalid-oss-fuzz-15363.ivf", NULL },
 };
 
 AV1_INSTANTIATE_TEST_CASE(InvalidFileTest,

test/test-data.sha1

diff --git a/test/test-data.sha1 b/test/test-data.sha1
index 6992886..22bb4cd 100644
--- a/test/test-data.sha1
+++ b/test/test-data.sha1
@@ -28,6 +28,8 @@
 b1a45514f0c59be03c9991cd04882426b9b930fa *invalid-oss-fuzz-11523.ivf
 7c44ac1723c14d98bcb888fbf118c959511519ba *invalid-oss-fuzz-11523.ivf.res
 3198c7af55a7d50173ce3c369c0cf2d9cdfface6 *invalid-oss-fuzz-11523.ivf.res.2
+cb445173be760c3554f1740ce4d119f57a7be043 *invalid-oss-fuzz-15363.ivf
+d3964f9dad9f60363c81b688324d95b4ec7c8038 *invalid-oss-fuzz-15363.ivf.res
 ccbe4081557eb44820a0e6337c4a094421826b9a *invalid-oss-fuzz-9288.ivf
 67c54283fe1a26ccf02cc991e4f9a1eea3ac5e78 *invalid-oss-fuzz-9288.ivf.res
 c0960f032484579f967881cc025b71cfd7a79ee1 *invalid-oss-fuzz-9463.ivf

test/test_data_util.cmake

diff --git a/test/test_data_util.cmake b/test/test_data_util.cmake
index fab3314..d646de6 100644
--- a/test/test_data_util.cmake
+++ b/test/test_data_util.cmake
@@ -541,6 +541,8 @@
               "invalid-oss-fuzz-11523.ivf"
               "invalid-oss-fuzz-11523.ivf.res"
               "invalid-oss-fuzz-11523.ivf.res.2"
+              "invalid-oss-fuzz-15363.ivf"
+              "invalid-oss-fuzz-15363.ivf.res"
               "invalid-oss-fuzz-9288.ivf"
               "invalid-oss-fuzz-9288.ivf.res"
               "invalid-oss-fuzz-9463.ivf"