From df41b67e1b2571731a8322730e589824b4d135ea Mon Sep 17 00:00:00 2001
From: Per Larsen <perl@immunant.com>
Date: Wed, 18 Mar 2026 00:55:18 -0700
Subject: [PATCH] Fix ITUT T.35 payload_size underflow

A local variable was typed as a `usize` where dav1d uses `ptrdiff_t`
which lead to downstream differences in the validation logic.

Closes #1476. Thanks to @Shnatsel for finding this issue through fuzz
testing.
---
 src/obu.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/obu.rs b/src/obu.rs
index 2185fcf45..c6aaa0d6c 100644
--- a/src/obu.rs
+++ b/src/obu.rs
@@ -2391,7 +2391,7 @@ fn parse_obus(
                     })); // TODO(kkysen) fallible allocation
                 }
                 Some(ObuMetaType::ItutT35) => {
-                    let mut payload_size = gb.remaining_len();
+                    let mut payload_size = gb.remaining_len() as isize;
                     // Don't take into account all the trailing bits for `payload_size`.
                     while payload_size > 0 && gb[payload_size as usize - 1] == 0 {
                         payload_size -= 1; // trailing_zero_bit x 8
@@ -2406,7 +2406,7 @@ fn parse_obus(
                         payload_size -= 1;
                     }
 
-                    if payload_size == 0 || gb[payload_size] != 0x80 {
+                    if payload_size <= 0 || gb[payload_size as usize] != 0x80 {
                         writeln!(c.logger, "Malformed ITU-T T.35 metadata message format");
                     } else {
                         let country_code = country_code as u8;