oss-fuzz: global-buffer-overflow on address 0x7f9a5fbf3c48
reproduce with ./build-asan/tests/dav1d_fuzzer clusterfuzz-testcase-minimized-dav1d_fuzzer-5657088496238592
clusterfuzz-testcase-minimized-dav1d_fuzzer-5657088496238592
Error parsing frame header
=================================================================
==16440==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f9a5fbf3c48 at pc 0x7f9a5fbc7597
bp 0x7ffff1cd09f0 sp 0x7ffff1cd09e0
READ of size 1 at 0x7f9a5fbf3c48 thread T0
#0 0x7f9a5fbc7596 in warp_affine_8x8_c ../src/mc.c:458
#1 0x7f9a5fbd5739 in warp_affine ../src/recon.c:679
#2 0x7f9a5fbdfae4 in dav1d_recon_b_inter_16bpc ../src/recon.c:1093
#3 0x7f9a5fb1a8d2 in decode_b ../src/decode.c:1743
#4 0x7f9a5fb3174b in decode_sb ../src/decode.c:2010
#5 0x7f9a5fb309e4 in decode_sb ../src/decode.c:2070
#6 0x7f9a5fb309e4 in decode_sb ../src/decode.c:2070
#7 0x7f9a5fb32944 in dav1d_decode_tile_sbrow ../src/decode.c:2319
#8 0x7f9a5fb3753e in dav1d_decode_frame ../src/decode.c:2664
#9 0x7f9a5fb3b157 in dav1d_submit_frame ../src/decode.c:3036
#10 0x7f9a5fb068cd in dav1d_parse_obus ../src/obu.c:1088
#11 0x7f9a5fbe62e7 in dav1d_decode ../src/lib.c:201
#12 0x5602c9ee8f6d in LLVMFuzzerTestOneInput ../tests/libfuzzer/dav1d_fuzzer.c:82
#13 0x5602c9ee873f in main ../tests/libfuzzer/main.c:87
#14 0x7f9a5f512ae6 in __libc_start_main (/lib64/libc.so.6+0x21ae6)
#15 0x5602c9ee8969 in _start (/home/janne/src/dav1d/build-asan/tests/dav1d_fuzzer+0x1969)
0x7f9a5fbf3c48 is located 24 bytes to the left of global variable 'dav1d_mc_subpel_filters' defined in '../src/tables.c:531:14' (0x7f9a5fbf3c60) of size 600
0x7f9a5fbf3c48 is located 32 bytes to the right of global variable 'dav1d_mc_warp_filter' defined in '../src/tables.c:616:14' (0x7f9a5fbf3620) of size 1544
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/mc.c:458 in warp_affine_8x8_c
Shadow bytes around the buggy address:
0x0ff3cbf76730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3cbf76740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3cbf76750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3cbf76760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3cbf76770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff3cbf76780: 00 00 00 00 00 f9 f9 f9 f9[f9]f9 f9 00 00 00 00
0x0ff3cbf76790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3cbf767a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3cbf767b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3cbf767c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3cbf767d0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16440==ABORTING