aom: Check data_end before advancing the data pointer

From 08efc1491525624dc5f5ebf0e450227524a7db4f Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <[EMAIL REDACTED]>
Date: Mon, 4 Mar 2024 17:11:12 -0800
Subject: [PATCH] Check data_end before advancing the data pointer

get_ls_tile_buffers() should check data_end before advancing the data
pointer.

Bug: oss-fuzz:67059
Bug: oss-fuzz:67162
Bug: oss-fuzz:67184
Bug: oss-fuzz:67216
Bug: chromium:327719168
Change-Id: Ib6582c2b3319234e6b7177bebb2798c7a9c239a4
---
 av1/decoder/decodeframe.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/av1/decoder/decodeframe.c b/av1/decoder/decodeframe.c
index 19644f35e..4e3fc45a5 100644
--- a/av1/decoder/decodeframe.c
+++ b/av1/decoder/decodeframe.c
@@ -2303,8 +2303,16 @@ static const uint8_t *get_ls_tile_buffers(
       size_t tile_col_size;
 
       if (!is_last) {
+        if (tile_col_size_bytes > data_end - data) {
+          aom_internal_error(&pbi->error, AOM_CODEC_CORRUPT_FRAME,
+                             "Not enough data to read tile_col_size");
+        }
         tile_col_size = mem_get_varsize(data, tile_col_size_bytes);
         data += tile_col_size_bytes;
+        if (tile_col_size > (size_t)(data_end - data)) {
+          aom_internal_error(&pbi->error, AOM_CODEC_CORRUPT_FRAME,
+                             "tile_col_data_end[%d] is out of bound", c);
+        }
         tile_col_data_end[c] = data + tile_col_size;
       } else {
         tile_col_size = data_end - data;