oss-fuzz: negative-size-param in dav1d_backup_ipred_edge_8bpc() src/recon_tmpl.c
Reproduced with commit acde4240
Steps to reproduce:
- build dav1d with AddressSanitizer (-fsanitize=address)
- replay testcase with
./dav1d_fuzzer clusterfuzz-testcase-minimized-dav1d_fuzzer-5707479116152832
clusterfuzz-testcase-minimized-dav1d_fuzzer-5707479116152832
==1==ERROR: AddressSanitizer: negative-size-param: (size=-56)
#0 0x4ea203 in __asan_memcpy _asan_rtl_
#1 0x5b70ad in dav1d_backup_ipred_edge_8bpc src/recon_tmpl.c:1504:5
#2 0x54510f in dav1d_decode_tile_sbrow src/decode.c:2333:9
#3 0x54b691 in dav1d_decode_frame src/decode.c:2668:29
#4 0x55088e in dav1d_submit_frame src/decode.c:3041:20
#5 0x5384ef in dav1d_parse_obus src/obu.c:1110:20
#6 0x5356a6 in dav1d_decode src/lib.c:201:20
#7 0x53209b in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:83:19
#8 0x53003e in ExecuteFilesOnyByOne(int, char**) /src/libfuzzer/afl/afl_driver.cpp:301:5
#9 0x5305ae in main /src/libfuzzer/afl/afl_driver.cpp:339:12
#10 0x7fd8f519782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291