Skip to content

stack-buffer-overflow in av1_get_fwd_ref_ctx() src/env.h

Found with commit 6ac49461

Steps to reproduce:

  1. build dav1d with AddressSanitizer
  2. run attached testcase with dav1d executable ./dav1d -i testcase.ivf -o out.ivf

testcase.ivf

==16685==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f5715e6411c at pc 0x0000005684b7 bp 0x7fffe9513c90 sp 0x7fffe9513c88
READ of size 4 at 0x7f5715e6411c thread T0
    #0 0x5684b6 in av1_get_fwd_ref_ctx src/env.h:367:52
    #1 0x5684b6 in decode_b src/decode.c:1525
    #2 0x532161 in decode_sb src/decode.c
    #3 0x5315d0 in decode_sb src/decode.c:2070:17
    #4 0x52fcb7 in dav1d_decode_tile_sbrow src/decode.c:2319:13
    #5 0x53d42d in dav1d_decode_frame src/decode.c:2662:29
    #6 0x545acf in dav1d_submit_frame src/decode.c:3032:20
    #7 0x51c43e in dav1d_parse_obus src/obu.c:1079:20
    #8 0x517504 in dav1d_decode src/lib.c:193:20
    #9 0x51294d in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:75:19

Address 0x7f5715e6411c is located in stack of thread T0 at offset 284 in frame
    #0 0x54763f in decode_b src/decode.c:674
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

VideoLAN code repository instance