From: Seungha Yang <seungha@centricular.com>
Date: Wed, 10 Jan 2024 03:33:59 +0900
Subject: av1parser: Fix potential stack overflow during tile list parsing
Origin: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/394d5066f8a7b728df02fe9084e955b2f7d7f6fe
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-0444

The tile_count_minus_1 must be less than or equal to 511 as specified
in spec "6.11.1 General tile list OBU semantics"

Fixes #3214 / CVE-2024-0444 / ZDI-CAN-22873

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5971>
---
 .../gst-libs/gst/codecparsers/gstav1parser.c               | 7 +++++++
 1 file changed, 7 insertions(+)

--- a/gst-libs/gst/codecparsers/gstav1parser.c
+++ b/gst-libs/gst/codecparsers/gstav1parser.c
@@ -4325,6 +4325,13 @@ gst_av1_parser_parse_tile_list_obu (GstA
   tile_list->output_frame_width_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
   tile_list->output_frame_height_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
   tile_list->tile_count_minus_1 = AV1_READ_BITS (br, 16);
+  if (tile_list->tile_count_minus_1 + 1 > GST_AV1_MAX_TILE_COUNT) {
+    GST_WARNING ("Invalid tile_count_minus_1 %d",
+        tile_list->tile_count_minus_1);
+    retval = GST_AV1_PARSER_BITSTREAM_ERROR;
+    goto error;
+  }
+
   for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) {
     if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) {
       retval = GST_AV1_PARSER_NO_MORE_DATA;
-- 
2.43.0