heap-buffer-overflow in dav1d_loopfilter_sbrow_8bpc() src/lf_apply_tmpl.c
Found locally with commit acde4240
Steps to reproduce:
- build dav1d with AddressSanitizer (-fsanitize=address)
- replay testcase with
./dav1d_fuzzer testcase.ivf
==19634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000120 at pc 0x0000006c2b89 bp 0x7ffeba8c2b90 sp 0x7ffeba8c2b88
READ of size 1 at 0x606000000120 thread T0
#0 0x6c2b88 in dav1d_loopfilter_sbrow_8bpc src/lf_apply_tmpl.c:212:31
#1 0x64748a in dav1d_filter_sbrow_8bpc src/recon_tmpl.c:1459:9
#2 0x53d6f6 in dav1d_decode_frame src/decode.c:2673:25
#3 0x545e0e in dav1d_submit_frame src/decode.c:3041:20
#4 0x51d1ee in dav1d_parse_obus src/obu.c:1110:20
#5 0x518274 in dav1d_decode src/lib.c:201:20
#6 0x512afe in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:83:19
#7 0x513446 in main tests/libfuzzer/main.c:87:11
#8 0x7ff68cbd182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#9 0x41a2f9 in _start (dav1d_fuzzer+0x41a2f9)
0x606000000120 is located 0 bytes to the right of 64-byte region [0x6060000000e0,0x606000000120)
allocated by thread T0 here:
#0 0x4da1a0 in malloc (dav1d_fuzzer+0x4da1a0)
#1 0x538812 in dav1d_decode_frame src/decode.c:2514:38
#2 0x545e0e in dav1d_submit_frame src/decode.c:3041:20