Skip to content
Snippets Groups Projects

add more oss-fuzz samples

Merged Janne Grunau requested to merge janne/dav1d-test-data:2018-11-18 into master
  1. Nov 20, 2018
    • Janne Grunau's avatar
    • Janne Grunau's avatar
      oss-fuzz: add test case for Heap-buffer-overflow in setup_tile · b571502a
      Janne Grunau authored
      ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000056a at pc 0x00000054ba74 bp 0x7ffe7d7347d0 sp 0x7ffe7d7347c8
      WRITE of size 2 at 0x61900000056a thread T0
      SCARINESS: 43 (2-byte-write-heap-buffer-overflow-far-from-bounds)
          #0 0x54ba73 in setup_tile /src/dav1d/src/decode.c:2258:36
          #1 0x547bce in dav1d_decode_frame /src/dav1d/src/decode.c:2772:13
          #2 0x54e4a2 in dav1d_submit_frame /src/dav1d/src/decode.c:3275:20
          #3 0x533012 in dav1d_parse_obus /src/dav1d/src/obu.c:1296:20
          #4 0x52fd80 in dav1d_get_picture /src/dav1d/src/lib.c:250:20
          #5 0x52bc30 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19
          #6 0x6428da in ExecuteFilesOnyByOne(int, char**) /src/libfuzzer/afl/afl_driver.cpp:301:5
          #7 0x642e3e in main /src/libfuzzer/afl/afl_driver.cpp:339:12
          #8 0x7f8b301cb82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
          #9 0x41c588 in _start
      Address 0x61900000056a is a wild pointer.
      SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-afl_dav1d_14dece08e8908088de8b5a0461ecc512e82f4c5d/revisions/dav1d_fuzzer+0x54ba73)
      Shadow bytes around the buggy address:
        0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c327fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
        0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c327fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right red
      b571502a
    • Janne Grunau's avatar
      oss-fuzz: add test case for undefined left shift of negative value · 031fc25e
      Janne Grunau authored
      SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/dav1d/src/film_grain_tmpl.c:431:17 in ../../src/dav1d/src/film_grain_tmpl.c:431:17: runtime error: left shift of negative value -128
          #0 0x4a504c in apply_to_row_uv /src/dav1d/src/film_grain_tmpl.c:431:17
          #1 0x4a1209 in dav1d_apply_grain_8bpc /src/dav1d/src/film_grain_tmpl.c:511:17
          #2 0x4319c5 in output_image /src/dav1d/src/lib.c:196:9
          #3 0x431609 in dav1d_get_picture /src/dav1d/src/lib.c:264:16
          #4 0x42f126 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19
          #5 0x4fc7e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #6 0x4ece02 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
          #7 0x4f0a7b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
          #8 0x4ecb88 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #9 0x7f982d12482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
          #10 0x405cd8 in _start
      031fc25e
    • Janne Grunau's avatar
      oss-fuzz: add test case use of unitialized value originating in resize_c · bffc7c5a
      Janne Grunau authored
      Exemplary for other test cases with the same origin.
      
      ==1==WARNING: MemorySanitizer: use-of-uninitialized-value
          #0 0x5a1ceb in imax /src/dav1d/include/common/intops.h:36:12
          #1 0x59e3eb in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:444:32
          #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9
          #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13
          #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13
          #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9
          #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9
          #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25
          #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9
          #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77
          #10 0x7f4ab65586b9 in start_thread
          #11 0x7f4ab596341c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109
        Uninitialized value was stored to memory at
          #0 0x5a04e8 in boxsum5 /src/dav1d/src/looprestoration_tmpl.c:309:20
          #1 0x59e034 in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:428:9
          #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9
          #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13
          #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13
          #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9
          #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9
          #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25
          #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9
          #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77
        Uninitialized value was stored to memory at
          #0 0x5a014f in boxsum5 /src/dav1d/src/looprestoration_tmpl.c:291:17
          #1 0x59e034 in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:428:9
          #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9
          #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13
          #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13
          #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9
          #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9
          #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25
          #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9
          #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77
        Uninitialized value was stored to memory at
          #0 0x45f31d in __msan_memcpy.part.51 /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1490
          #1 0x59d863 in padding /src/dav1d/src/looprestoration_tmpl.c:98:9
          #2 0x59c2cc in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:521:5
          #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13
          #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13
          #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9
          #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9
          #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25
          #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9
          #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77
        Uninitialized value was created by a heap allocation
          #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170
          #1 0x4a1109 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9
          #2 0x4a0b98 in default_picture_allocator /src/dav1d/src/picture.c:59:21
          #3 0x4a0613 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12
          #4 0x4a1747 in picture_alloc_with_edges /src/dav1d/src/picture.c:130:15
          #5 0x4a1fbf in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:169:9
          #6 0x4dadf0 in dav1d_submit_frame /src/dav1d/src/decode.c:3093:11
          #7 0x4ad5f3 in dav1d_parse_obus /src/dav1d/src/obu.c:1296:20
          #8 0x4a7977 in dav1d_get_picture /src/dav1d/src/lib.c:250:20
          #9 0x49ff97 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19
          #10 0x6c27fb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #11 0x67a7a6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
          #12 0x68b5ca in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
          #13 0x6798d1 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #14 0x7f4ab587c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
      bffc7c5a
  2. Nov 19, 2018
    • Janne Grunau's avatar
      oss-fuzz: add test case for timeout in pthread_join/dav1d_close · bc157a3e
      Janne Grunau authored
      ALARM: working on the last Unit for 25 seconds
             and the timeout value is 25 (use -timeout=N to change)
      ==1== ERROR: libFuzzer: timeout after 25 seconds
          #0 0x42eca3 in __sanitizer_print_stack_trace /src/llvm/projects/compiler-rt/lib/ubsan/ubsan_diag_standalone.cc:29
          #1 0x5144d6 in fuzzer::PrintStackTrace() /src/libfuzzer/FuzzerUtil.cpp:206:5
          #2 0x4f18e2 in fuzzer::Fuzzer::AlarmCallback() /src/libfuzzer/FuzzerLoop.cpp:301:5
          #3 0x7ffb8a77f38f in libpthread.so.0
          #4 0x7ffb8a77698c in pthread_join
          #5 0x431a11 in dav1d_close /src/dav1d/src/lib.c:261:13
          #6 0x42f2fa in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:128:5
          #7 0x4f3338 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #8 0x4e3952 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
          #9 0x4e75cb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
          #10 0x4e36d8 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #11 0x7ffb89a9982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
          #12 0x405cd8 in _start
      custom-crash-state: dav1d_fuzzer_mt
      SUMMARY: libFuzzer: timeout
      bc157a3e
    • Janne Grunau's avatar
      uncomment all long running tests after c496fab4ab · 13b36b58
      Janne Grunau authored
      Probably means the samples are not that interesting anymore though.
      13b36b58
  3. Nov 18, 2018
    • Janne Grunau's avatar
      oss-fuzz: add testcase for ubsan mt timeout · c5447b2b
      Janne Grunau authored
      ==1== ERROR: libFuzzer: timeout after 25 seconds
          #0 0x42eca3 in __sanitizer_print_stack_trace /src/llvm/projects/compiler-rt/lib/ubsan/ubsan_diag_standalone.cc:29
          #1 0x513d56 in fuzzer::PrintStackTrace() /src/libfuzzer/FuzzerUtil.cpp:206:5
          #2 0x4f1162 in fuzzer::Fuzzer::AlarmCallback() /src/libfuzzer/FuzzerLoop.cpp:301:5
          #3 0x7faf4fdd238f in libpthread.so.0
          #4 0x7faf4fdce35f in __pthread_cond_wait
          #5 0x431661 in dav1d_get_picture /src/dav1d/src/lib.c:192:17
          #6 0x42f2a6 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:121:15
          #7 0x4f2bb8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #8 0x4e31d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
          #9 0x4e6e4b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
          #10 0x4e2f58 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #11 0x7faf4f0ec82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
          #12 0x405cd8 in _start
      custom-crash-state: dav1d_fuzzer_mt
      SUMMARY: libFuzzer: timeout
      c5447b2b
    • Janne Grunau's avatar
      oss-fuzz: add test case for Use-of-uninitialized-value in resize_c · 53dc2df8
      Janne Grunau authored
      ==1==WARNING: MemorySanitizer: use-of-uninitialized-value
          #0 0x58e7d4 in iclip /src/dav1d/include/common/intops.h:44:28
          #1 0x58be67 in resize_c /src/dav1d/src/mc_tmpl.c:794:22
          #2 0x64e401 in backup_lpf /src/dav1d/src/lr_apply_tmpl.c:77:13
          #3 0x64dab9 in dav1d_lr_copy_lpf_8bpc /src/dav1d/src/lr_apply_tmpl.c:135:13
          #4 0x5c70a6 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1591:9
          #5 0x4d216e in dav1d_decode_frame /src/dav1d/src/decode.c:2824:25
          #6 0x4da976 in dav1d_submit_frame /src/dav1d/src/decode.c:3270:20
          #7 0x4acaa5 in dav1d_parse_obus /src/dav1d/src/obu.c:1208:20
          #8 0x4a7607 in dav1d_get_picture /src/dav1d/src/lib.c:214:20
          #9 0x49ffb9 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19
          #10 0x6ab0db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #11 0x663086 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
          #12 0x673eaa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
          #13 0x6621b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #14 0x7f26f631982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
          #15 0x41e8e8 in _start
        Uninitialized value was created by a heap allocation
          #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170
          #1 0x4a1119 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9
          #2 0x4a0bb8 in default_picture_allocator /src/dav1d/src/picture.c:59:21
          #3 0x4a0633 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12
          #4 0x4a1734 in picture_alloc_with_edges /src/dav1d/src/picture.c:129:15
          #5 0x4a13eb in dav1d_picture_alloc /src/dav1d/src/picture.c:156:12
          #6 0x4d873a in dav1d_submit_frame /src/dav1d/src/decode.c:3105:15
          #7 0x4acaa5 in dav1d_parse_obus /src/dav1d/src/obu.c:1208:20
          #8 0x4a7607 in dav1d_get_picture /src/dav1d/src/lib.c:214:20
          #9 0x49ffb9 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19
          #10 0x6ab0db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #11 0x663086 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
          #12 0x673eaa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
          #13 0x6621b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #14 0x7f26f631982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
      SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_3cefbaa25c2c6bbdc887bbe62141145645bd0466/revisions/dav1d_fuzzer+0x58e7d4)
      53dc2df8
Loading