memcpy-param-overlap in put_c() src/mc.c
Found with commit acd90b71
Steps to reproduce:
- build dav1d with AddressSanitizer
- run attached testcase with dav1d executable ./dav1d -i testcase.ivf -o out.ivf
Marked as confidential since this is a potential security issue and I'm not sure if this code is being use in production anywhere. Please feel free to open it if it safe to do so.
==32319==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f95e62cc620,0x7f95e62cc640) and [0x7f95e62cc61e, 0x7f95e62cc63e) overlap
#0 0x4a2a09 in __asan_memcpy (dav1d+0x4a2a09)
#1 0x63214a in put_c src/mc.c:44:9
#2 0x628de3 in put_bilin_c src/mc.c:280:9
#3 0x65d6ef in mc src/recon.c:540:9
#4 0x655318 in dav1d_recon_b_inter_16bpc src/recon.c:1073:9
#5 0x525ed5 in decode_b src/decode.c:1204:13
#6 0x50ef35 in decode_sb src/decode.c:1908:13
#7 0x50e2ea in decode_sb src/decode.c:1855:21
#8 0x50e26b in decode_sb src/decode.c:1853:21
#9 0x50c27a in dav1d_decode_tile_sbrow src/decode.c:2228:13
#10 0x515f72 in dav1d_decode_frame src/decode.c:2571:29
#11 0x51ccd1 in dav1d_submit_frame src/decode.c:2956:20
#12 0x504298 in dav1d_parse_obus src/obu.c:1075:20
#13 0x4f5f87 in dav1d_decode src/lib.c:193:20
#14 0x4eaa77 in main tools/dav1d.c:108:20
#15 0x7f95e526382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#16 0x418d38 in _start (dav1d+0x418d38)
0x7f95e62cc620 is located 89632 bytes inside of 294912-byte region [0x7f95e62b6800,0x7f95e62fe800)
allocated by thread T0 here:
#0 0x4b9740 in __interceptor_posix_memalign (dav1d+0x4b9740)
#1 0x4f3b28 in dav1d_alloc_aligned include/common/mem.h:46:9
#2 0x4f3b28 in dav1d_ref_create src/ref.c:40
#3 0x4f1d92 in picture_alloc_with_edges src/picture.c:76:20
#4 0x4f1d92 in dav1d_thread_picture_alloc src/picture.c:100
0x7f95e62cc61e is located 89630 bytes inside of 294912-byte region [0x7f95e62b6800,0x7f95e62fe800)
allocated by thread T0 here:
#0 0x4b9740 in __interceptor_posix_memalign (dav1d+0x4b9740)
#1 0x4f3b28 in dav1d_alloc_aligned include/common/mem.h:46:9
#2 0x4f3b28 in dav1d_ref_create src/ref.c:40
#3 0x4f1d92 in picture_alloc_with_edges src/picture.c:76:20
#4 0x4f1d92 in dav1d_thread_picture_alloc src/picture.c:100