Google Git
Sign in
aomedia/aom/m69-3497^!/.
commit
9655bde9fba5b238c7015de53ab03b21fcaea8ec
[log] [tgz]
author
Wan-Teh Chang <wtc@google.com>
Sat Aug 04 15:48:49 2018 -0700
committer
Wan-Teh Chang <wtc@google.com>
Mon Aug 06 10:28:56 2018 -0700
tree
79513f65f95c90a4d7c779860d2963dd5740d8b9
parent
e96c7350ab1e217090515ef64b2839634a309971 [diff]
read_tile_info: Validate context_update_tile_id.

context_update_tile_id should be less than the number of tiles.

BUG=aomedia:2090
BUG=oss-fuzz:9720

Change-Id: Ic02900ec50dc8f4af6dea3678f49e1bec41a770c
(cherry picked from commit 7c24185d7b45a1795fcfa5f33b912bd725f0ab33)

diff --git a/av1/decoder/decodeframe.c b/av1/decoder/decodeframe.c
index adddb63..da43442 100644
--- a/av1/decoder/decodeframe.c
+++ b/av1/decoder/decodeframe.c

@@ -2344,6 +2344,10 @@
     // tile to use for cdf update
     cm->context_update_tile_id =
         aom_rb_read_literal(rb, cm->log2_tile_rows + cm->log2_tile_cols);
+    if (cm->context_update_tile_id >= cm->tile_rows * cm->tile_cols) {
+      aom_internal_error(&cm->error, AOM_CODEC_CORRUPT_FRAME,
+                         "Invalid context_update_tile_id");
+    }
     // tile size magnitude
     pbi->tile_size_bytes = aom_rb_read_literal(rb, 2) + 1;
   }
@@ -5249,6 +5253,7 @@
 
   if (!xd->corrupted) {
     if (cm->refresh_frame_context == REFRESH_FRAME_CONTEXT_BACKWARD) {
+      assert(cm->context_update_tile_id < pbi->allocated_tiles);
       *cm->fc = pbi->tile_data[cm->context_update_tile_id].tctx;
       av1_reset_cdf_symbol_counters(cm->fc);
     }