CVE-2018-0429

An authenticated local attacker supplies a crafted non-conformant Thor bitstream to the decoder. The bitstream can specify an out-of-range `log2_sb_size` value in the sequence header, which is then used to compute block sizes during recursive decoding. When `split_flag` is set and the computed block size is smaller than `MIN_BLOCK_SIZE`, the recursive call to `process_block_dec` can overflow the stack because the base case is never reached [patch_id=6629298]. No network path is required; the attacker must be able to feed the malicious file to the decoder binary.

The patch adds two guards. In `read_sequence_header`, the parsed `log2_sb_size` is now clipped to the valid range `[log2i(MIN_BLOCK_SIZE), log2i(MAX_SB_SIZE)]`, preventing an attacker from setting an illegally small superblock size. In `process_block_dec`, the recursive split is gated by `size >= MIN_BLOCK_SIZE`, so even if a small size somehow reaches the function, the recursion terminates immediately instead of dividing further. Together these changes ensure the decoder never recurses below the minimum block size, eliminating the stack overflow.