Skip to content

oss-fuzz: unknown read in dav1d_put_bilin_avx2

Test case: clusterfuzz-testcase-minimized-dav1d_fuzzer-5739751889436672

Thread 1 "dav1d_fuzzer" received signal SIGSEGV, Segmentation fault.
0x0000000000684b04 in dav1d_put_bilin_avx2.put_w16 ()
(gdb) bt
#0  0x0000000000684b04 in dav1d_put_bilin_avx2.put_w16 ()
#1  0x00000000006141ac in mc () at ../../src/dav1d/src/recon_tmpl.c:913
#2  0x0000000000615892 in obmc () at ../../src/dav1d/src/recon_tmpl.c:1010
#3  0x0000000000610f2b in dav1d_recon_b_inter_8bpc () at ../../src/dav1d/src/recon_tmpl.c:1689
#4  0x0000000000565f38 in decode_b () at ../../src/dav1d/src/decode.c:1858
#5  0x00000000005971f9 in decode_sb () at ../../src/dav1d/src/decode.c:2167
#6  0x00000000005966be in decode_sb () at ../../src/dav1d/src/decode.c:2090
#7  0x0000000000596bc3 in decode_sb () at ../../src/dav1d/src/decode.c:2093
#8  0x0000000000594349 in dav1d_decode_tile_sbrow () at ../../src/dav1d/src/decode.c:2555
#9  0x000000000059c880 in dav1d_decode_frame () at ../../src/dav1d/src/decode.c:3006
#10 0x00000000005a2cba in dav1d_submit_frame () at ../../src/dav1d/src/decode.c:3471
#11 0x00000000005b79ba in dav1d_parse_obus () at ../../src/dav1d/src/obu.c:1545
#12 0x0000000000553757 in dav1d_get_picture () at ../../src/dav1d/src/lib.c:372
#13 0x0000000000550203 in LLVMFuzzerTestOneInput () at ../../src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:144
#14 0x0000000000459a92 in ExecuteCallback () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:554
#15 0x00000000004442c2 in RunOneTest () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292
#16 0x0000000000449fdf in FuzzerDriver () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775
#17 0x0000000000473963 in main () at /src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19
(gdb) disassemble
Dump of assembler code for function dav1d_put_bilin_avx2.put_w16:
   0x0000000000684af6 <+0>:     vmovdqu (%rdx),%xmm0
   0x0000000000684afa <+4>:     vmovdqu (%rdx,%rcx,1),%xmm1
   0x0000000000684aff <+9>:     vmovdqu (%rdx,%rcx,2),%xmm2
=> 0x0000000000684b04 <+14>:    vmovdqu (%rdx,%rax,1),%xmm3
   0x0000000000684b09 <+19>:    lea    (%rdx,%rcx,4),%rdx
   0x0000000000684b0d <+23>:    vmovdqa %xmm0,(%rdi)
   0x0000000000684b11 <+27>:    vmovdqa %xmm1,(%rdi,%rsi,1)
   0x0000000000684b16 <+32>:    vmovdqa %xmm2,(%rdi,%rsi,2)
   0x0000000000684b1b <+37>:    vmovdqa %xmm3,(%rdi,%r10,1)
   0x0000000000684b21 <+43>:    lea    (%rdi,%rsi,4),%rdi
   0x0000000000684b25 <+47>:    sub    $0x4,%r9d
   0x0000000000684b29 <+51>:    jg     0x684af6 <dav1d_put_bilin_avx2.put_w16>
   0x0000000000684b2b <+53>:    retq
End of assembler dump.
(gdb) info registers
rax            0x3000   12288
rbx            0x10     16
rcx            0x1000   4096
rdx            0x7ffff1a76060   140737247666272
rsi            0x10     16
rdi            0x7ffff3fb2ae0   140737286712032
rbp            0x7fffffffce50   0x7fffffffce50
rsp            0x7fffffffcd38   0x7fffffffcd38
r8             0x684af6 6834934
r9             0x2      2
r10            0x30     48
r11            0x684a84 6834820
r12            0x0      0
r13            0x0      0
r14            0x685fc0 6840256
r15            0x2      2
rip            0x684b04 0x684b04 <dav1d_put_bilin_avx2.put_w16+14>
eflags         0x10206  [ PF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

I can reproduce the issue only in oss-fuzz' docker image (see [https://google.github.io/oss-fuzz/advanced-topics/debugging/#debugging-fuzzers-with-gdb]).

Reported as regression since 6ef9a030 (frame size limit change in dav1d_fuzzer).

Monorail issue and oss-fuzz report (access limited).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

VideoLAN code repository instance