[FFmpeg-devel] [PATCH 2/4] avcodec/av1dec: Check tile_group_info size before use

[Michael Niedermayer]

Fixes: member access within null pointer of type 'TileGroupInfo' (aka 'struct TileGroupInfo')
Fixes: 25725/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AV1_fuzzer-5166692706287616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/av1dec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c
index 0bb04a3e44..cf3a78aad8 100644
--- a/libavcodec/av1dec.c
+++ b/libavcodec/av1dec.c
@@ -209,6 +209,9 @@ static int get_tiles_info(AVCodecContext *avctx, const AV1RawTileGroup *tile_gro
     uint16_t tile_num, tile_row, tile_col;
     uint32_t size = 0, size_bytes = 0;
 
+    if (s->tile_num != s->raw_frame_header->tile_cols * s->raw_frame_header->tile_rows)
+        return AVERROR_INVALIDDATA;
+
     bytestream2_init(&gb, tile_group->tile_data.data,
                      tile_group->tile_data.data_size);
     s->tg_start = tile_group->tg_start;
-- 
2.17.1