oss-fuzz: use-of-uninitialized-value in loop_filter_v_sb128y_c() src/loopfilter.c
Reproduced with commit 46e2a2d0
Steps to reproduce:
- build dav1d with MemorySanitizer (-fsanitize=memory)
- replay testcase with
./dav1d_fuzzer clusterfuzz-testcase-minimized-dav1d_fuzzer-5648175751233536
clusterfuzz-testcase-minimized-dav1d_fuzzer-5648175751233536
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x645cf8 in loop_filter_v_sb128y_c src/loopfilter.c:189:27
#1 0x6f1f71 in filter_plane_rows_y src/lf_apply.c:97:9
#2 0x6efe8f in dav1d_loopfilter_sbrow_8bpc src/lf_apply.c:276:9
#3 0x6804fa in dav1d_filter_sbrow_8bpc src/recon.c:1459:9
#4 0x5bbe4e in dav1d_decode_frame src/decode.c:2673:25
#5 0x5c320b in dav1d_submit_frame src/decode.c:3041:20
#6 0x598a3f in dav1d_parse_obus src/obu.c:1110:20
#7 0x59349e in dav1d_decode src/lib.c:201:20
#8 0x58d0c2 in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:82:19
#9 0x4eacbb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#10 0x4a3186 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#11 0x4b3faa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#12 0x4a22b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#13 0x7f49187a882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
#14 0x41ecb8 in _start
Uninitialized value was created by a heap allocation
#0 0x45f4c0 in malloc /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:910
#1 0x5b8439 in dav1d_decode_frame src/decode.c:2464:23
#2 0x5c320b in dav1d_submit_frame src/decode.c:3041:20
#3 0x598a3f in dav1d_parse_obus src/obu.c:1110:20
#4 0x59349e in dav1d_decode src/lib.c:201:20
#5 0x58d0c2 in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:82:19
#6 0x4eacbb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#7 0x4a3186 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#8 0x4b3faa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#9 0x4a22b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#10 0x7f49187a882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291