Skip to content
Snippets Groups Projects

todays oss-fuzz updates

Merged Janne Grunau requested to merge janne/dav1d-test-data:oss-fuzz into master
  1. Nov 24, 2018
    • Janne Grunau's avatar
      oss-fuzz: add test case for uninitialized picture data · 5f330589
      Janne Grunau authored and Janne Grunau's avatar Janne Grunau committed
      Discovered by apply_to_row_y().
      ==1==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffc5e8ea0a1 (pc 0x0000004e362c bp 0x7ffc5e8daef0 sp 0x7ffc5e8dadc0 T1)
          #0 0x4e362b in apply_to_row_y /src/dav1d/src/film_grain_tmpl.c:283:17
          #1 0x4e1d0a in dav1d_apply_grain_10bpc /src/dav1d/src/film_grain_tmpl.c:504:13
          #2 0x431a14 in output_image /src/dav1d/src/lib.c:199:9
          #3 0x431864 in dav1d_get_picture /src/dav1d/src/lib.c:0
          #4 0x42f252 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:131:15
          #5 0x502a88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #6 0x501e55 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:480:3
          #7 0x5044a7 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:783:7
          #8 0x504845 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:806:3
          #9 0x4f6f3e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6
          #10 0x4f2e28 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #11 0x7f2438c2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
          #12 0x405cd8 in _start
      SUMMARY: UndefinedBehaviorSanitizer: stack-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_1dba850c6be01aadc39811634b000cc38db48773/revisions/dav1d_fuzzer_mt+0x4e362b)
      5f330589
    • Janne Grunau's avatar
      oss-fuzz: add test case for Use-of-uninitialized-value in apply_to_row_uv · 8776b49b
      Janne Grunau authored and Janne Grunau's avatar Janne Grunau committed
      ==1==WARNING: MemorySanitizer: use-of-uninitialized-value
          #0 0x5e2f34 in iclip /src/dav1d/include/common/intops.h:44:12
          #1 0x5e027e in apply_to_row_uv /src/dav1d/src/film_grain_tmpl.c:431:17
          #2 0x5d9647 in dav1d_apply_grain_8bpc /src/dav1d/src/film_grain_tmpl.c:507:13
          #3 0x4a89e3 in output_image /src/dav1d/src/lib.c:197:9
          #4 0x4a8345 in dav1d_get_picture /src/dav1d/src/lib.c:0
          #5 0x49ffa7 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19
          #6 0x6d552b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #7 0x68d4d6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
          #8 0x69e2fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
          #9 0x68c601 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #10 0x7f5e5cd2082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
          #11 0x41e8e8 in _start
        Uninitialized value was created by a heap allocation
          #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170
          #1 0x4a1119 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9
          #2 0x4a0ba8 in default_picture_allocator /src/dav1d/src/picture.c:59:21
          #3 0x4a0623 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:52:12
          #4 0x4a1a57 in picture_alloc_with_edges /src/dav1d/src/picture.c:130:15
          #5 0x4a14df in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:162:9
          #6 0x4db033 in dav1d_submit_frame /src/dav1d/src/decode.c:3098:11
          #7 0x4ad743 in dav1d_parse_obus /src/dav1d/src/obu.c:1292:20
          #8 0x4a7994 in dav1d_get_picture /src/dav1d/src/lib.c:251:20
          #9 0x49ffa7 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19
          #10 0x6d552b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15
          #11 0x68d4d6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
          #12 0x69e2fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
          #13 0x68c601 in main /src/libfuzzer/FuzzerMain.cpp:20:10
          #14 0x7f5e5cd2082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
      SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_3cefbaa25c2c6bbdc887bbe62141145645bd0466/revisions/dav1d_fuzzer+0x5e2f34)
      8776b49b
Loading