From b76a801f57353b893c344025cac56413140fca6d Mon Sep 17 00:00:00 2001
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Date: Wed, 4 Oct 2023 11:14:38 +0200
Subject: [PATCH] codecparsers: av1: Clip max tile rows and cols values

Clip tile rows and cols to 64 as describe in AV1 specification.

Fixes ZDI-CAN-22226 / CVE-2023-44429

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3015

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5637>
---
 subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
index 9fda4fb..e65a154 100644
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.c
@@ -2229,6 +2229,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
       ((parser->state.mi_cols + 31) >> 5) : ((parser->state.mi_cols + 15) >> 4);
   sb_rows = seq_header->use_128x128_superblock ? ((parser->state.mi_rows +
           31) >> 5) : ((parser->state.mi_rows + 15) >> 4);
+  sb_cols = MIN (GST_AV1_MAX_TILE_COLS, sb_cols);
+  sb_rows = MIN (GST_AV1_MAX_TILE_ROWS, sb_rows);
   sb_shift = seq_header->use_128x128_superblock ? 5 : 4;
   sb_size = sb_shift + 2;
   max_tile_width_sb = GST_AV1_MAX_TILE_WIDTH >> sb_size;
-- 
2.7.4