ref: c5d283bd8c298143188e454e47a2ce78acc5f265
parent: 1b5d335959c75f477ca4566cf72158f426ea74f8
author: Janne Grunau <[email protected]>
date: Wed Oct 3 10:36:20 EDT 2018
tile: check for arithmetic underflow in tile setup Fixes a fuzzing crash in crash-5f55445c56a36f28259bc742dd08b2c5ba42045d.
--- a/src/decode.c
+++ b/src/decode.c
@@ -2513,6 +2513,7 @@
if (j == f->tile[i].end - empty_tiles) {
tile_sz = size;
} else {
+ if (f->frame_hdr.tiling.n_bytes > size) goto error;
tile_sz = 0;
for (int k = 0; k < f->frame_hdr.tiling.n_bytes; k++)
tile_sz |= *data++ << (k * 8);