GitLab

Since the issues are probably related all test cases in a single issue.

1. heap overflow in setup_tile:

    ==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000052a at pc 0x00000054bfd7 bp
 0x7f222a875b90 sp 0x7f222a875b88
    WRITE of size 2 at 0x61900000052a thread T4
    SCARINESS: 43 (2-byte-write-heap-buffer-overflow-far-from-bounds)
        #0 0x54bfd6 in setup_tile /src/dav1d/src/decode.c:2257:36
        #1 0x547f4d in dav1d_decode_frame /src/dav1d/src/decode.c:2768:13
        #2 0x531d5f in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9
        #3 0x7f22316ee6b9 in start_thread

clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5646860283281408

2. use of uninitilized value in resize_c/iclip:

    ==1==WARNING: MemorySanitizer: use-of-uninitialized-value
        #0 0x601684 in iclip /src/dav1d/include/common/intops.h:44:28
        #1 0x5fec4d in resize_c /src/dav1d/src/mc_tmpl.c:794:22
        #2 0x63b224 in dav1d_filter_sbrow_16bpc /src/dav1d/src/recon_tmpl.c:1620:13
        #3 0x4d2bff in dav1d_decode_frame /src/dav1d/src/decode.c:2882:25
        #4 0x4aa79d in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9
        #5 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77
        #6 0x7f73351be6b9 in start_thread

clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5741861168218112

3. use of uninitilized value in resize_c/iclip:

    ==1==WARNING: MemorySanitizer: use-of-uninitialized-value
        #0 0x58e7d4 in iclip /src/dav1d/include/common/intops.h:44:28
        #1 0x58be67 in resize_c /src/dav1d/src/mc_tmpl.c:794:22
        #2 0x64e401 in backup_lpf /src/dav1d/src/lr_apply_tmpl.c:77:13
        #3 0x64dab9 in dav1d_lr_copy_lpf_8bpc /src/dav1d/src/lr_apply_tmpl.c:135:13
        #4 0x5c70a6 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1591:9
        #5 0x4d216e in dav1d_decode_frame /src/dav1d/src/decode.c:2824:25
        #6 0x4da976 in dav1d_submit_frame /src/dav1d/src/decode.c:3270:20
        #7 0x4acaa5 in dav1d_parse_obus /src/dav1d/src/obu.c:1208:20
        #8 0x4a7607 in dav1d_get_picture /src/dav1d/src/lib.c:214:20
        #9 0x49ffb9 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19
        #10 0x6ab0db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuz
zer/FuzzerLoop.cpp:571:15
        #11 0x663086 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/F
uzzerDriver.cpp:280:6
        #12 0x673eaa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)
) /src/libfuzzer/FuzzerDriver.cpp:713:9
        #13 0x6621b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10
        #14 0x7f26f631982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
        #15 0x41e8e8 in _start

clusterfuzz-testcase-minimized-dav1d_fuzzer-5658693757042688