heap-buffer-overflow in dav1d_decode_tile_sbrow() src/decode.c

Found with commit acd90b71

Steps to reproduce:

1. build dav1d with AddressSanitizer
2. run attached testcase with dav1d executable ./dav1d -i testcase.ivf -o out.ivf

testcase.ivf

==27639==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00000dd80 at pc 0x00000050cd76 bp 0x7ffd3d3cc9d0 sp 0x7ffd3d3cc9c8
WRITE of size 1 at 0x62f00000dd80 thread T0
    #0 0x50cd75 in dav1d_decode_tile_sbrow src/decode.c:2119:39
    #1 0x515f72 in dav1d_decode_frame src/decode.c:2571:29
    #2 0x51ccd1 in dav1d_submit_frame src/decode.c:2956:20
    #3 0x504298 in dav1d_parse_obus src/obu.c:1075:20
    #4 0x4f5f87 in dav1d_decode src/lib.c:193:20
    #5 0x4eaa77 in main tools/dav1d.c:108:20
    #6 0x7fb6c330f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
    #7 0x418d38 in _start (dav1d+0x418d38)

0x62f00000dd80 is located 1280 bytes to the right of 54400-byte region [0x62f000000400,0x62f00000d880)
allocated by thread T0 here:
    #0 0x4b8e68 in __interceptor_malloc (dav1d+0x4b8e68)
    #1 0x511f92 in dav1d_decode_frame src/decode.c:2368:22
    #2 0x51ccd1 in dav1d_submit_frame src/decode.c:2956:20