Skip to content

GitLab

Closed
Created by Tyson Smith@tysmith

memcpy-param-overlap in put_c() src/mc.c

Found with commit acd90b71

Steps to reproduce:

  1. build dav1d with AddressSanitizer
  2. run attached testcase with dav1d executable ./dav1d -i testcase.ivf -o out.ivf

testcase.ivf

Marked as confidential since this is a potential security issue and I'm not sure if this code is being use in production anywhere. Please feel free to open it if it safe to do so.

==32319==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f95e62cc620,0x7f95e62cc640) and [0x7f95e62cc61e, 0x7f95e62cc63e) overlap
    #0 0x4a2a09 in __asan_memcpy (dav1d+0x4a2a09)
    #1 0x63214a in put_c src/mc.c:44:9
    #2 0x628de3 in put_bilin_c src/mc.c:280:9
    #3 0x65d6ef in mc src/recon.c:540:9
    #4 0x655318 in dav1d_recon_b_inter_16bpc src/recon.c:1073:9
    #5 0x525ed5 in decode_b src/decode.c:1204:13
    #6 0x50ef35 in decode_sb src/decode.c:1908:13
    #7 0x50e2ea in decode_sb src/decode.c:1855:21
    #8 0x50e26b in decode_sb src/decode.c:1853:21
    #9 0x50c27a in dav1d_decode_tile_sbrow src/decode.c:2228:13
    #10 0x515f72 in dav1d_decode_frame src/decode.c:2571:29
    #11 0x51ccd1 in dav1d_submit_frame src/decode.c:2956:20
    #12 0x504298 in dav1d_parse_obus src/obu.c:1075:20
    #13 0x4f5f87 in dav1d_decode src/lib.c:193:20
    #14 0x4eaa77 in main tools/dav1d.c:108:20
    #15 0x7f95e526382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #16 0x418d38 in _start (dav1d+0x418d38)

0x7f95e62cc620 is located 89632 bytes inside of 294912-byte region [0x7f95e62b6800,0x7f95e62fe800)
allocated by thread T0 here:
    #0 0x4b9740 in __interceptor_posix_memalign (dav1d+0x4b9740)
    #1 0x4f3b28 in dav1d_alloc_aligned include/common/mem.h:46:9
    #2 0x4f3b28 in dav1d_ref_create src/ref.c:40
    #3 0x4f1d92 in picture_alloc_with_edges src/picture.c:76:20
    #4 0x4f1d92 in dav1d_thread_picture_alloc src/picture.c:100

0x7f95e62cc61e is located 89630 bytes inside of 294912-byte region [0x7f95e62b6800,0x7f95e62fe800)
allocated by thread T0 here:
    #0 0x4b9740 in __interceptor_posix_memalign (dav1d+0x4b9740)
    #1 0x4f3b28 in dav1d_alloc_aligned include/common/mem.h:46:9
    #2 0x4f3b28 in dav1d_ref_create src/ref.c:40
    #3 0x4f1d92 in picture_alloc_with_edges src/picture.c:76:20
    #4 0x4f1d92 in dav1d_thread_picture_alloc src/picture.c:100
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information