todays oss-fuzz updates
- Nov 24, 2018
-
-
Discovered by apply_to_row_y(). ==1==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffc5e8ea0a1 (pc 0x0000004e362c bp 0x7ffc5e8daef0 sp 0x7ffc5e8dadc0 T1) #0 0x4e362b in apply_to_row_y /src/dav1d/src/film_grain_tmpl.c:283:17 #1 0x4e1d0a in dav1d_apply_grain_10bpc /src/dav1d/src/film_grain_tmpl.c:504:13 #2 0x431a14 in output_image /src/dav1d/src/lib.c:199:9 #3 0x431864 in dav1d_get_picture /src/dav1d/src/lib.c:0 #4 0x42f252 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:131:15 #5 0x502a88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #6 0x501e55 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:480:3 #7 0x5044a7 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:783:7 #8 0x504845 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:806:3 #9 0x4f6f3e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6 #10 0x4f2e28 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7f2438c2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #12 0x405cd8 in _start SUMMARY: UndefinedBehaviorSanitizer: stack-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_1dba850c6be01aadc39811634b000cc38db48773/revisions/dav1d_fuzzer_mt+0x4e362b)
5f330589 -
==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5e2f34 in iclip /src/dav1d/include/common/intops.h:44:12 #1 0x5e027e in apply_to_row_uv /src/dav1d/src/film_grain_tmpl.c:431:17 #2 0x5d9647 in dav1d_apply_grain_8bpc /src/dav1d/src/film_grain_tmpl.c:507:13 #3 0x4a89e3 in output_image /src/dav1d/src/lib.c:197:9 #4 0x4a8345 in dav1d_get_picture /src/dav1d/src/lib.c:0 #5 0x49ffa7 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19 #6 0x6d552b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #7 0x68d4d6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #8 0x69e2fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #9 0x68c601 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #10 0x7f5e5cd2082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #11 0x41e8e8 in _start Uninitialized value was created by a heap allocation #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170 #1 0x4a1119 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x4a0ba8 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x4a0623 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:52:12 #4 0x4a1a57 in picture_alloc_with_edges /src/dav1d/src/picture.c:130:15 #5 0x4a14df in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:162:9 #6 0x4db033 in dav1d_submit_frame /src/dav1d/src/decode.c:3098:11 #7 0x4ad743 in dav1d_parse_obus /src/dav1d/src/obu.c:1292:20 #8 0x4a7994 in dav1d_get_picture /src/dav1d/src/lib.c:251:20 #9 0x49ffa7 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19 #10 0x6d552b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x68d4d6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x69e2fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x68c601 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f5e5cd2082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_3cefbaa25c2c6bbdc887bbe62141145645bd0466/revisions/dav1d_fuzzer+0x5e2f34)
8776b49b
-