From eadbdca74376fe6a87f31db87471d7c9d3e09092 Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <[EMAIL REDACTED]>
Date: Tue, 28 May 2024 14:24:57 -0700
Subject: [PATCH] Detect an invalid row offset get_ls_tile_buffer()
row - offset is used as an array index, so it should not be negative.
Bug: oss-fuzz:68774
Change-Id: I0c075202da0b5007887aafde4e1a55acdd866d08
(cherry picked from commit 4aefb9325a25dbc2d818d84c06a976ebd3fe5c7d)
---
av1/decoder/decodeframe.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/av1/decoder/decodeframe.c b/av1/decoder/decodeframe.c
index 650e44064..0277f6005 100644
--- a/av1/decoder/decodeframe.c
+++ b/av1/decoder/decodeframe.c
@@ -2241,6 +2241,12 @@ static AOM_INLINE void get_ls_tile_buffer(
if (tile_copy_mode && (size >> (tile_size_bytes * 8 - 1)) == 1) {
// The remaining bits in the top byte signal the row offset
int offset = (size >> (tile_size_bytes - 1) * 8) & 0x7f;
+ if (offset > row) {
+ aom_internal_error(
+ error_info, AOM_CODEC_CORRUPT_FRAME,
+ "Invalid row offset in tile copy mode: row=%d offset=%d", row,
+ offset);
+ }
// Currently, only use tiles in same column as reference tiles.
copy_data = tile_buffers[row - offset][col].data;