Copied from Debian.

# HG changeset patch
# User Ralph Giles <giles@mozilla.com>
# Date 1412209683 25200
# Node ID 6023f0b4f8ba49dd117106cc98cd8007c2142bf6
# Parent  8c431dcec0ffde13988d47eacf341113ea883245
Bug 1063327 - Reject vp9 frames with invalid tiles. r=kinetik, a=abillings

diff --git a/vp9/decoder/vp9_decodframe.c b/vp9/decoder/vp9_decodframe.c
--- a/vp9/decoder/vp9_decodframe.c
+++ b/vp9/decoder/vp9_decodframe.c
@@ -863,16 +863,21 @@ static size_t get_tile(const uint8_t *co
 
   if (!is_last) {
     if (!read_is_valid(*data, 4, data_end))
       vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
           "Truncated packet or corrupt tile length");
 
     size = read_be32(*data);
     *data += 4;
+
+    if (size > data_end - *data) {
+      vpx_internal_error(error_info, VPX_CODEC_CORRUPT_FRAME,
+          "Truncated packet or corrupt tile size");
+    }
   } else {
     size = data_end - *data;
   }
   return size;
 }
 
 typedef struct TileBuffer {
   const uint8_t *data;