From b2b07755e02d14a699142a6da691de492ab6872c Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Sat, 21 Jun 2014 16:55:29 -0700
Subject: [PATCH] vp9: check tile column count

the max is 6. there are assumptions throughout the decode regarding
this; fixes a crash with a fuzzed bitstream

$ zzuf -s 5861 -r 0.01:0.05 -b 6- \
  < vp90-2-00-quantizer-00.webm.ivf \
  | dd of=invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf \
    bs=1 count=81883

Change-Id: I6af41bb34252e88bc156a4c27c80d505d45f5642
---
 test/invalid_file_test.cc     | 3 ++-
 test/test-data.sha1           | 2 ++
 test/test.mk                  | 2 ++
 vp9/decoder/vp9_decodeframe.c | 4 ++++
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/test/invalid_file_test.cc b/test/invalid_file_test.cc
index 6ec5564a1f..4933658470 100644
--- a/test/invalid_file_test.cc
+++ b/test/invalid_file_test.cc
@@ -95,7 +95,8 @@ TEST_P(InvalidFileTest, ReturnCode) {
 
 const char *const kVP9InvalidFileTests[] = {
   "invalid-vp90-01.webm",
-  "invalid-vp90-02.webm"
+  "invalid-vp90-02.webm",
+  "invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf",
 };
 
 #define NELEMENTS(x) static_cast<int>(sizeof(x) / sizeof(x[0]))
diff --git a/test/test-data.sha1 b/test/test-data.sha1
index 2755835833..bc6f77ed18 100644
--- a/test/test-data.sha1
+++ b/test/test-data.sha1
@@ -644,3 +644,5 @@ e615575ded499ea1d992f3b38e3baa434509cdcd  vp90-2-15-segkey.webm
 e3ab35d4316c5e81325c50f5236ceca4bc0d35df  vp90-2-15-segkey.webm.md5
 9b7ca2cac09d34c4a5d296c1900f93b1e2f69d0d  vp90-2-15-segkey_adpq.webm
 8f46ba5f785d0c2170591a153e0d0d146a7c8090  vp90-2-15-segkey_adpq.webm.md5
+76024eb753cdac6a5e5703aaea189d35c3c30ac7  invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf
+d3964f9dad9f60363c81b688324d95b4ec7c8038  invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf.res
diff --git a/test/test.mk b/test/test.mk
index a8397235db..af344e52eb 100644
--- a/test/test.mk
+++ b/test/test.mk
@@ -766,6 +766,8 @@ LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01.webm
 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-01.webm.res
 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-02.webm
 LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-02.webm.res
+LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf
+LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-00-quantizer-00.webm.ivf.s5861_r01-05_b6-.ivf.res
 
 ifeq ($(CONFIG_DECODE_PERF_TESTS),yes)
 # BBB VP9 streams
diff --git a/vp9/decoder/vp9_decodeframe.c b/vp9/decoder/vp9_decodeframe.c
index f36105fcf4..9220a9eecb 100644
--- a/vp9/decoder/vp9_decodeframe.c
+++ b/vp9/decoder/vp9_decodeframe.c
@@ -685,6 +685,10 @@ static void setup_tile_info(VP9_COMMON *cm, struct vp9_read_bit_buffer *rb) {
   while (max_ones-- && vp9_rb_read_bit(rb))
     cm->log2_tile_cols++;
 
+  if (cm->log2_tile_cols > 6)
+    vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME,
+                       "Invalid number of tile columns");
+
   // rows
   cm->log2_tile_rows = vp9_rb_read_bit(rb);
   if (cm->log2_tile_rows)
-- 
GitLab