shithub: dav1d

Download patch

ref: 57347c19187052242c1a8981e26ed6d046ed52d9
parent: f783078899f926f9431f1bf9e605cfe2395c462f
author: Janne Grunau <[email protected]>
date: Sat Oct 6 17:40:31 EDT 2018

decode_b: make sure seg_id is valid

Fixes heap overflow with
david-fuzzing-data:artifacts/crash-5c3b00780bb24ac2e123c3f172b1e4829bc98aa5.

--- a/src/decode.c
+++ b/src/decode.c
@@ -773,6 +773,7 @@
                 b->seg_id = neg_deinterleave(diff, pred_seg_id,
                                              last_active_seg_id + 1);
                 if (b->seg_id > last_active_seg_id) b->seg_id = 0; // error?
+                if (b->seg_id >= NUM_SEGMENTS) b->seg_id = 0; // error?
             }
 
             if (DEBUG_BLOCK_INFO)
@@ -821,6 +822,7 @@
                                              last_active_seg_id + 1);
                 if (b->seg_id > last_active_seg_id) b->seg_id = 0; // error?
             }
+            if (b->seg_id >= NUM_SEGMENTS) b->seg_id = 0; // error?
         }
 
         if (DEBUG_BLOCK_INFO)