From 438a064a9cd4542ce51dd139a2beb98555114fb2 Mon Sep 17 00:00:00 2001
From: Hyunjun Ko <zzoon@igalia.com>
Date: Wed, 31 Jan 2024 09:20:31 +0900
Subject: [PATCH] anv/video: fix out-of-bounds read

Since STD_VIDEO_H265_CHROMA_QP_OFFSET_TILE_COLS_LIST_SIZE is 19.

Fixes: 8d519eb5 ("anv: add initial video decode support for h265")
Closes: mesa/mesa#10529

Signed-off-by: Hyunjun Ko <zzoon@igalia.com>
Acked-by: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27373>
(cherry picked from commit d0d2cf549bad34a6e2f9a40a80784450b51168be)
---
 .pick_status.json             | 2 +-
 src/intel/vulkan/genX_video.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.pick_status.json b/.pick_status.json
index 461819b1e38..91a94b2e576 100644
--- a/.pick_status.json
+++ b/.pick_status.json
@@ -414,7 +414,7 @@
         "description": "anv/video: fix out-of-bounds read",
         "nominated": true,
         "nomination_type": 1,
-        "resolution": 0,
+        "resolution": 1,
         "main_sha": null,
         "because_sha": "8d519eb5f5947800279e4c02bf7aa79b0b65cd17",
         "notes": null
diff --git a/src/intel/vulkan/genX_video.c b/src/intel/vulkan/genX_video.c
index 52994173d9d..8eacbf12eef 100644
--- a/src/intel/vulkan/genX_video.c
+++ b/src/intel/vulkan/genX_video.c
@@ -551,7 +551,8 @@ anv_h265_decode_video(struct anv_cmd_buffer *cmd_buffer,
             cum += pps->column_width_minus1[4 * i + 2] + 1;
             tile.ColumnPosition[i].CtbPos3i = cum;
 
-            if ((4 * i + 3) == pps->num_tile_columns_minus1)
+            if ((4 * i + 3) >= MIN2(pps->num_tile_columns_minus1,
+                                    ARRAY_SIZE(pps->column_width_minus1)))
                break;
 
             cum += pps->column_width_minus1[4 * i + 3] + 1;