Skip to content

heap-buffer-overflow in dav1d_loopfilter_sbrow_16bpc() src/lf_apply.c

Found with commit 6ac49461

Steps to reproduce:

  1. build dav1d with AddressSanitizer
  2. replay testcase with dav1d fuzzer

testcase.ivf

==15372==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000140 at pc 0x0000006ec43a bp 0x7ffc9c472270 sp 0x7ffc9c472268
READ of size 1 at 0x611000000140 thread T0
    #0 0x6ec439 in dav1d_loopfilter_sbrow_16bpc src/lf_apply.c:185:51
    #1 0x6b7d6b in dav1d_filter_sbrow_16bpc src/recon.c:1456:9
    #2 0x53d647 in dav1d_decode_frame src/decode.c:2667:25
    #3 0x545ada in dav1d_submit_frame src/decode.c:3032:20
    #4 0x51c48e in dav1d_parse_obus src/obu.c:1079:20
    #5 0x517554 in dav1d_decode src/lib.c:193:20
    #6 0x51297d in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:75:19

0x611000000140 is located 0 bytes to the right of 256-byte region [0x611000000040,0x611000000140)
allocated by thread T0 here:
    #0 0x4da070 in malloc (dav1d_fuzzer+0x4da070)
    #1 0x5373b2 in dav1d_decode_frame src/decode.c:2510:38
    #2 0x545ada in dav1d_submit_frame src/decode.c:3032:20
    #3 0x51c48e in dav1d_parse_obus src/obu.c:1079:20
    #4 0x517554 in dav1d_decode src/lib.c:193:20
    #5 0x51297d in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:75:19
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

VideoLAN code repository instance