add more oss-fuzz samples
- Nov 20, 2018
-
-
Janne Grunau authored2454a3e0
-
Janne Grunau authored
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000056a at pc 0x00000054ba74 bp 0x7ffe7d7347d0 sp 0x7ffe7d7347c8 WRITE of size 2 at 0x61900000056a thread T0 SCARINESS: 43 (2-byte-write-heap-buffer-overflow-far-from-bounds) #0 0x54ba73 in setup_tile /src/dav1d/src/decode.c:2258:36 #1 0x547bce in dav1d_decode_frame /src/dav1d/src/decode.c:2772:13 #2 0x54e4a2 in dav1d_submit_frame /src/dav1d/src/decode.c:3275:20 #3 0x533012 in dav1d_parse_obus /src/dav1d/src/obu.c:1296:20 #4 0x52fd80 in dav1d_get_picture /src/dav1d/src/lib.c:250:20 #5 0x52bc30 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #6 0x6428da in ExecuteFilesOnyByOne(int, char**) /src/libfuzzer/afl/afl_driver.cpp:301:5 #7 0x642e3e in main /src/libfuzzer/afl/afl_driver.cpp:339:12 #8 0x7f8b301cb82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #9 0x41c588 in _start Address 0x61900000056a is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-afl_dav1d_14dece08e8908088de8b5a0461ecc512e82f4c5d/revisions/dav1d_fuzzer+0x54ba73) Shadow bytes around the buggy address: 0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa 0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right red
b571502a -
Janne Grunau authored
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/dav1d/src/film_grain_tmpl.c:431:17 in ../../src/dav1d/src/film_grain_tmpl.c:431:17: runtime error: left shift of negative value -128 #0 0x4a504c in apply_to_row_uv /src/dav1d/src/film_grain_tmpl.c:431:17 #1 0x4a1209 in dav1d_apply_grain_8bpc /src/dav1d/src/film_grain_tmpl.c:511:17 #2 0x4319c5 in output_image /src/dav1d/src/lib.c:196:9 #3 0x431609 in dav1d_get_picture /src/dav1d/src/lib.c:264:16 #4 0x42f126 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #5 0x4fc7e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #6 0x4ece02 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #7 0x4f0a7b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #8 0x4ecb88 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #9 0x7f982d12482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #10 0x405cd8 in _start
031fc25e -
Janne Grunau authored
Exemplary for other test cases with the same origin. ==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5a1ceb in imax /src/dav1d/include/common/intops.h:36:12 #1 0x59e3eb in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:444:32 #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9 #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13 #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13 #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9 #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9 #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25 #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 #10 0x7f4ab65586b9 in start_thread #11 0x7f4ab596341c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 Uninitialized value was stored to memory at #0 0x5a04e8 in boxsum5 /src/dav1d/src/looprestoration_tmpl.c:309:20 #1 0x59e034 in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:428:9 #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9 #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13 #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13 #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9 #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9 #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25 #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 Uninitialized value was stored to memory at #0 0x5a014f in boxsum5 /src/dav1d/src/looprestoration_tmpl.c:291:17 #1 0x59e034 in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:428:9 #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9 #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13 #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13 #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9 #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9 #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25 #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 Uninitialized value was stored to memory at #0 0x45f31d in __msan_memcpy.part.51 /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1490 #1 0x59d863 in padding /src/dav1d/src/looprestoration_tmpl.c:98:9 #2 0x59c2cc in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:521:5 #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13 #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13 #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9 #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9 #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25 #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 Uninitialized value was created by a heap allocation #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170 #1 0x4a1109 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x4a0b98 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x4a0613 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12 #4 0x4a1747 in picture_alloc_with_edges /src/dav1d/src/picture.c:130:15 #5 0x4a1fbf in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:169:9 #6 0x4dadf0 in dav1d_submit_frame /src/dav1d/src/decode.c:3093:11 #7 0x4ad5f3 in dav1d_parse_obus /src/dav1d/src/obu.c:1296:20 #8 0x4a7977 in dav1d_get_picture /src/dav1d/src/lib.c:250:20 #9 0x49ff97 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #10 0x6c27fb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x67a7a6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x68b5ca in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x6798d1 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f4ab587c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
bffc7c5a
-
- Nov 19, 2018
-
-
Janne Grunau authored
ALARM: working on the last Unit for 25 seconds and the timeout value is 25 (use -timeout=N to change) ==1== ERROR: libFuzzer: timeout after 25 seconds #0 0x42eca3 in __sanitizer_print_stack_trace /src/llvm/projects/compiler-rt/lib/ubsan/ubsan_diag_standalone.cc:29 #1 0x5144d6 in fuzzer::PrintStackTrace() /src/libfuzzer/FuzzerUtil.cpp:206:5 #2 0x4f18e2 in fuzzer::Fuzzer::AlarmCallback() /src/libfuzzer/FuzzerLoop.cpp:301:5 #3 0x7ffb8a77f38f in libpthread.so.0 #4 0x7ffb8a77698c in pthread_join #5 0x431a11 in dav1d_close /src/dav1d/src/lib.c:261:13 #6 0x42f2fa in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:128:5 #7 0x4f3338 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #8 0x4e3952 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #9 0x4e75cb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #10 0x4e36d8 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7ffb89a9982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #12 0x405cd8 in _start custom-crash-state: dav1d_fuzzer_mt SUMMARY: libFuzzer: timeout
bc157a3e -
Janne Grunau authored
Probably means the samples are not that interesting anymore though.
13b36b58
-
- Nov 18, 2018
-
-
Janne Grunau authored
==1== ERROR: libFuzzer: timeout after 25 seconds #0 0x42eca3 in __sanitizer_print_stack_trace /src/llvm/projects/compiler-rt/lib/ubsan/ubsan_diag_standalone.cc:29 #1 0x513d56 in fuzzer::PrintStackTrace() /src/libfuzzer/FuzzerUtil.cpp:206:5 #2 0x4f1162 in fuzzer::Fuzzer::AlarmCallback() /src/libfuzzer/FuzzerLoop.cpp:301:5 #3 0x7faf4fdd238f in libpthread.so.0 #4 0x7faf4fdce35f in __pthread_cond_wait #5 0x431661 in dav1d_get_picture /src/dav1d/src/lib.c:192:17 #6 0x42f2a6 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:121:15 #7 0x4f2bb8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #8 0x4e31d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #9 0x4e6e4b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #10 0x4e2f58 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7faf4f0ec82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #12 0x405cd8 in _start custom-crash-state: dav1d_fuzzer_mt SUMMARY: libFuzzer: timeout
c5447b2b -
Janne Grunau authored
==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x58e7d4 in iclip /src/dav1d/include/common/intops.h:44:28 #1 0x58be67 in resize_c /src/dav1d/src/mc_tmpl.c:794:22 #2 0x64e401 in backup_lpf /src/dav1d/src/lr_apply_tmpl.c:77:13 #3 0x64dab9 in dav1d_lr_copy_lpf_8bpc /src/dav1d/src/lr_apply_tmpl.c:135:13 #4 0x5c70a6 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1591:9 #5 0x4d216e in dav1d_decode_frame /src/dav1d/src/decode.c:2824:25 #6 0x4da976 in dav1d_submit_frame /src/dav1d/src/decode.c:3270:20 #7 0x4acaa5 in dav1d_parse_obus /src/dav1d/src/obu.c:1208:20 #8 0x4a7607 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #9 0x49ffb9 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #10 0x6ab0db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x663086 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x673eaa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x6621b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f26f631982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #15 0x41e8e8 in _start Uninitialized value was created by a heap allocation #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170 #1 0x4a1119 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x4a0bb8 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x4a0633 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12 #4 0x4a1734 in picture_alloc_with_edges /src/dav1d/src/picture.c:129:15 #5 0x4a13eb in dav1d_picture_alloc /src/dav1d/src/picture.c:156:12 #6 0x4d873a in dav1d_submit_frame /src/dav1d/src/decode.c:3105:15 #7 0x4acaa5 in dav1d_parse_obus /src/dav1d/src/obu.c:1208:20 #8 0x4a7607 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #9 0x49ffb9 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #10 0x6ab0db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x663086 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x673eaa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x6621b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f26f631982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_3cefbaa25c2c6bbdc887bbe62141145645bd0466/revisions/dav1d_fuzzer+0x58e7d4)
53dc2df8
-