heap-buffer-overflow in setup_tile dav1d/src/decode.c
Found with commit acd90b71 Steps to reproduce:
- build dav1d with AddressSanitizer
- run attached testcase with dav1d executable ./dav1d -i testcase.ivf -o out.ivf
Marked as confidential since this is a security issue and I'm not sure if this code is being use in production anywhere. Please feel free to open it if it safe to do so.
==26914==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100003d7c0 at pc 0x0000005185b2 bp 0x7ffdaae44150 sp 0x7ffdaae44148 WRITE of size 8 at 0x63100003d7c0 thread T0 #0 0x5185b1 in setup_tile dav1d/src/decode.c:2039:30 #1 0x5185b1 in dav1d_decode_frame dav1d/src/decode.c:2522 #2 0x51ccd1 in dav1d_submit_frame dav1d/src/decode.c:2956:20 #3 0x504298 in dav1d_parse_obus dav1d/src/obu.c:1075:20 #4 0x4f5f87 in dav1d_decode dav1d/src/lib.c:193:20 #5 0x4eaa77 in main dav1d/tools/dav1d.c:108:20 #6 0x7f652cd7182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #7 0x418d38 in _start (dav1d+0x418d38)