From f6f39c97eac30c8d50d2f97e8c7af5e3f3610610 Mon Sep 17 00:00:00 2001
From: Yunqing Wang <[EMAIL REDACTED]>
Date: Tue, 5 Mar 2024 18:51:58 -0800
Subject: [PATCH] Add handling for invalid frame bitstream
For large scale tile decoding, the output frame is used to store the
decoded tile list. The decoded tile list has to fit into 1 output
frame. Otherwise, this is invalid and the decoder should fail with
error.
Bug: oss-fuzz:67132
Change-Id: Ie269345507329e599d07c05d3eda8c0f07cde17c
---
av1/decoder/obu.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/av1/decoder/obu.c b/av1/decoder/obu.c
index b6444028e..e0b2d87c3 100644
--- a/av1/decoder/obu.c
+++ b/av1/decoder/obu.c
@@ -495,6 +495,16 @@ static uint32_t read_and_decode_one_tile_list(AV1Decoder *pbi,
pbi->output_frame_width_in_tiles_minus_1 = aom_rb_read_literal(rb, 8);
pbi->output_frame_height_in_tiles_minus_1 = aom_rb_read_literal(rb, 8);
pbi->tile_count_minus_1 = aom_rb_read_literal(rb, 16);
+
+ // The output frame is used to store the decoded tile list. The decoded tile
+ // list has to fit into 1 output frame.
+ if ((pbi->tile_count_minus_1 + 1) >
+ (pbi->output_frame_width_in_tiles_minus_1 + 1) *
+ (pbi->output_frame_height_in_tiles_minus_1 + 1)) {
+ pbi->error.error_code = AOM_CODEC_CORRUPT_FRAME;
+ return 0;
+ }
+
if (pbi->tile_count_minus_1 > MAX_TILES - 1) {
pbi->error.error_code = AOM_CODEC_CORRUPT_FRAME;
return 0;