aom: Detect an invalid row offset get_ls_tile_buffer()

From 4aefb9325a25dbc2d818d84c06a976ebd3fe5c7d Mon Sep 17 00:00:00 2001
From: Wan-Teh Chang <[EMAIL REDACTED]>
Date: Tue, 28 May 2024 14:24:57 -0700
Subject: [PATCH] Detect an invalid row offset get_ls_tile_buffer()

row - offset is used as an array index, so it should not be negative.

Bug: oss-fuzz:68774
Change-Id: I0c075202da0b5007887aafde4e1a55acdd866d08
---
 av1/decoder/decodeframe.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/av1/decoder/decodeframe.c b/av1/decoder/decodeframe.c
index c027308ff..d25651229 100644
--- a/av1/decoder/decodeframe.c
+++ b/av1/decoder/decodeframe.c
@@ -2241,6 +2241,12 @@ static AOM_INLINE void get_ls_tile_buffer(
   if (tile_copy_mode && (size >> (tile_size_bytes * 8 - 1)) == 1) {
     // The remaining bits in the top byte signal the row offset
     int offset = (size >> (tile_size_bytes - 1) * 8) & 0x7f;
+    if (offset > row) {
+      aom_internal_error(
+          error_info, AOM_CODEC_CORRUPT_FRAME,
+          "Invalid row offset in tile copy mode: row=%d offset=%d", row,
+          offset);
+    }
 
     // Currently, only use tiles in same column as reference tiles.
     copy_data = tile_buffers[row - offset][col].data;