heap-buffer-overflow in setup_tile dav1d/src/decode.c

Found with commit acd90b71 Steps to reproduce:

build dav1d with AddressSanitizer
run attached testcase with dav1d executable ./dav1d -i testcase.ivf -o out.ivf

Marked as confidential since this is a security issue and I'm not sure if this code is being use in production anywhere. Please feel free to open it if it safe to do so.

==26914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100003d7c0 at pc 0x0000005185b2 bp 0x7ffdaae44150 sp 0x7ffdaae44148
WRITE of size 8 at 0x63100003d7c0 thread T0
    #0 0x5185b1 in setup_tile dav1d/src/decode.c:2039:30
    #1 0x5185b1 in dav1d_decode_frame dav1d/src/decode.c:2522
    #2 0x51ccd1 in dav1d_submit_frame dav1d/src/decode.c:2956:20
    #3 0x504298 in dav1d_parse_obus dav1d/src/obu.c:1075:20
    #4 0x4f5f87 in dav1d_decode dav1d/src/lib.c:193:20
    #5 0x4eaa77 in main dav1d/tools/dav1d.c:108:20
    #6 0x7f652cd7182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
    #7 0x418d38 in _start (dav1d+0x418d38)

Edited Oct 16, 2018 by Tyson Smith

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information