heap-buffer-overflow in dav1d_loopfilter_sbrow_16bpc() src/lf_apply.c
Found with commit 6ac49461
Steps to reproduce:
- build dav1d with AddressSanitizer
- replay testcase with dav1d fuzzer
==15372==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000140 at pc 0x0000006ec43a bp 0x7ffc9c472270 sp 0x7ffc9c472268
READ of size 1 at 0x611000000140 thread T0
#0 0x6ec439 in dav1d_loopfilter_sbrow_16bpc src/lf_apply.c:185:51
#1 0x6b7d6b in dav1d_filter_sbrow_16bpc src/recon.c:1456:9
#2 0x53d647 in dav1d_decode_frame src/decode.c:2667:25
#3 0x545ada in dav1d_submit_frame src/decode.c:3032:20
#4 0x51c48e in dav1d_parse_obus src/obu.c:1079:20
#5 0x517554 in dav1d_decode src/lib.c:193:20
#6 0x51297d in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:75:19
0x611000000140 is located 0 bytes to the right of 256-byte region [0x611000000040,0x611000000140)
allocated by thread T0 here:
#0 0x4da070 in malloc (dav1d_fuzzer+0x4da070)
#1 0x5373b2 in dav1d_decode_frame src/decode.c:2510:38
#2 0x545ada in dav1d_submit_frame src/decode.c:3032:20
#3 0x51c48e in dav1d_parse_obus src/obu.c:1079:20
#4 0x517554 in dav1d_decode src/lib.c:193:20
#5 0x51297d in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:75:19