- Nov 28, 2018
-
-
Janne Grunau authored
-
==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5a2c04 in iclip /src/dav1d/include/common/intops.h:44:28 #1 0x5a3ee1 in put_8tap_scaled_c /src/dav1d/src/mc_tmpl.c:0 #2 0x597b07 in put_8tap_smooth_scaled_c /src/dav1d/src/mc_tmpl.c:330:1 #3 0x5d71c7 in mc /src/dav1d/src/recon_tmpl.c:593:13 #4 0x5cf67d in dav1d_recon_b_inter_8bpc /src/dav1d/src/recon_tmpl.c:1299:27 #5 0x501f0f in decode_b /src/dav1d/src/decode.c:1827:17 #6 0x4ccced in decode_sb /src/dav1d/src/decode.c:1961:17 #7 0x4cd802 in decode_sb /src/dav1d/src/decode.c:2005:21 #8 0x4cd802 in decode_sb /src/dav1d/src/decode.c:2005:21 #9 0x4cd802 in decode_sb /src/dav1d/src/decode.c:2005:21 #10 0x4c9833 in dav1d_decode_tile_sbrow /src/dav1d/src/decode.c:2469:13 #11 0x4ad905 in dav1d_tile_task /src/dav1d/src/thread_task.c:125:25 #12 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 -
==1==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000010 (pc 0x00000043665f bp 0x7fff587b6710 sp 0x7fff587b6640 T1) ==1==The signal is caused by a READ memory access. ==1==Hint: address points to the zero page. #0 0x43665e in parse_frame_hdr /src/dav1d/src/obu.c:464:49 #1 0x434120 in dav1d_parse_obus /src/dav1d/src/obu.c:1271:20 #2 0x43222e in dav1d_get_picture /src/dav1d/src/lib.c:317:20 #3 0x42f167 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19 #4 0x503eb8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #5 0x4f44d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #6 0x4f814b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #7 0x4f4258 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #8 0x7fa36446682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #9 0x405cd8 in _start -
==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x6722a4 in iclip /src/dav1d/include/common/intops.h:44:12 #1 0x6694f0 in generate_grain_y /src/dav1d/src/film_grain_tmpl.c:105:25 #2 0x667d8c in dav1d_apply_grain_10bpc /src/dav1d/src/film_grain_tmpl.c:486:5 #3 0x4ab6b8 in output_image /src/dav1d/src/lib.c:266:9 #4 0x4aacda in dav1d_get_picture /src/dav1d/src/lib.c:0 #5 0x4a0259 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:131:15 #6 0x6ddf1b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #7 0x695ec6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #8 0x6a6cea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #9 0x694ff1 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #10 0x7f0de309882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #11 0x41e8e8 in _start Uninitialized value was created by a heap allocation #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170 #1 0x4a5019 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x4a4e69 in dav1d_ref_create /src/dav1d/src/ref.c:41:18 #3 0x4b00c9 in dav1d_parse_obus /src/dav1d/src/obu.c:1265:32 #4 0x4aa30f in dav1d_get_picture /src/dav1d/src/lib.c:317:20 #5 0x49ffda in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19 #6 0x6ddf1b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #7 0x695ec6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #8 0x6a6cea in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #9 0x694ff1 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #10 0x7f0de309882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 -
dav1d_fuzzer_mt: ../../src/dav1d/src/msac.c:79: unsigned int msac_decode_symbol(MsacContext *const, const uint16_t *const, const unsigned int): Assertion `!cdf[n_symbols - 1]' failed. UndefinedBehaviorSanitizer:DEADLYSIGNAL ==1==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x000000000001 (pc 0x7f797c702428 bp 0x0000005b05eb sp 0x7f797a247a88 T12) #0 0x7f797c702427 in gsignal /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/raise.c:54 #1 0x7f797c704029 in abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:89 #2 0x7f797c6fabd6 in __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92 #3 0x7f797c6fac81 in __assert_fail /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:101 #4 0x45f047 in msac_decode_symbol /src/dav1d/src/msac.c:79:5 #5 0x45fadd in msac_decode_symbol_adapt /src/dav1d/src/msac.c:159:26 #6 0x43c3ce in decode_sb /src/dav1d/src/decode.c:1940:18 #7 0x43b664 in dav1d_decode_tile_sbrow /src/dav1d/src/decode.c:2464:13 #8 0x432d6e in dav1d_tile_task /src/dav1d/src/thread_task.c:89:29 #9 0x7f797d3c96b9 in start_thread -
==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x59bbd4 in iclip /src/dav1d/include/common/intops.h:44:28 #1 0x599267 in resize_c /src/dav1d/src/mc_tmpl.c:794:22 #2 0x6797e1 in backup_lpf /src/dav1d/src/lr_apply_tmpl.c:77:13 #3 0x6787aa in dav1d_lr_copy_lpf_8bpc /src/dav1d/src/lr_apply_tmpl.c:115:9 #4 0x5d4247 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1584:9 #5 0x4d579e in dav1d_decode_frame /src/dav1d/src/decode.c:2830:25 #6 0x4de348 in dav1d_submit_frame /src/dav1d/src/decode.c:3271:20 #7 0x4adb6e in dav1d_parse_obus /src/dav1d/src/obu.c:1314:20 #8 0x4a7c1a in dav1d_get_picture /src/dav1d/src/lib.c:271:20 #9 0x49ffcc in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19 #10 0x6d646b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x68e416 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x69f23a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x68d541 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f79941b682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #15 0x41e8e8 in _start
-
- Nov 26, 2018
-
-
Janne Grunau authored
-
Janne Grunau authored
Use with `meson test --setup=sanitizer`, multiplies the timeouts by 3.
-
-
- Nov 24, 2018
-
-
Discovered by apply_to_row_y(). ==1==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffc5e8ea0a1 (pc 0x0000004e362c bp 0x7ffc5e8daef0 sp 0x7ffc5e8dadc0 T1) #0 0x4e362b in apply_to_row_y /src/dav1d/src/film_grain_tmpl.c:283:17 #1 0x4e1d0a in dav1d_apply_grain_10bpc /src/dav1d/src/film_grain_tmpl.c:504:13 #2 0x431a14 in output_image /src/dav1d/src/lib.c:199:9 #3 0x431864 in dav1d_get_picture /src/dav1d/src/lib.c:0 #4 0x42f252 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:131:15 #5 0x502a88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #6 0x501e55 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:480:3 #7 0x5044a7 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:783:7 #8 0x504845 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:806:3 #9 0x4f6f3e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6 #10 0x4f2e28 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7f2438c2c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #12 0x405cd8 in _start SUMMARY: UndefinedBehaviorSanitizer: stack-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_1dba850c6be01aadc39811634b000cc38db48773/revisions/dav1d_fuzzer_mt+0x4e362b) -
==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5e2f34 in iclip /src/dav1d/include/common/intops.h:44:12 #1 0x5e027e in apply_to_row_uv /src/dav1d/src/film_grain_tmpl.c:431:17 #2 0x5d9647 in dav1d_apply_grain_8bpc /src/dav1d/src/film_grain_tmpl.c:507:13 #3 0x4a89e3 in output_image /src/dav1d/src/lib.c:197:9 #4 0x4a8345 in dav1d_get_picture /src/dav1d/src/lib.c:0 #5 0x49ffa7 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19 #6 0x6d552b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #7 0x68d4d6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #8 0x69e2fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #9 0x68c601 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #10 0x7f5e5cd2082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #11 0x41e8e8 in _start Uninitialized value was created by a heap allocation #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170 #1 0x4a1119 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x4a0ba8 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x4a0623 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:52:12 #4 0x4a1a57 in picture_alloc_with_edges /src/dav1d/src/picture.c:130:15 #5 0x4a14df in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:162:9 #6 0x4db033 in dav1d_submit_frame /src/dav1d/src/decode.c:3098:11 #7 0x4ad743 in dav1d_parse_obus /src/dav1d/src/obu.c:1292:20 #8 0x4a7994 in dav1d_get_picture /src/dav1d/src/lib.c:251:20 #9 0x49ffa7 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:117:19 #10 0x6d552b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x68d4d6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x69e2fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x68c601 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f5e5cd2082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_3cefbaa25c2c6bbdc887bbe62141145645bd0466/revisions/dav1d_fuzzer+0x5e2f34)
-
- Nov 23, 2018
-
-
Janne Grunau authored
-
Janne Grunau authored
-
- Nov 22, 2018
-
-
Janne Grunau authored
-
Janne Grunau authored
-
Janne Grunau authored
-
Janne Grunau authored
-
Janne Grunau authored
-
- Nov 21, 2018
-
-
Janne Grunau authored
-
-
Janne Grunau authored
Adds option for the aomdec path (useful for using the av1-normative branch), the output bit depth and the test suite name.
-
- Nov 20, 2018
-
-
Janne Grunau authored
-
Janne Grunau authored
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000056a at pc 0x00000054ba74 bp 0x7ffe7d7347d0 sp 0x7ffe7d7347c8 WRITE of size 2 at 0x61900000056a thread T0 SCARINESS: 43 (2-byte-write-heap-buffer-overflow-far-from-bounds) #0 0x54ba73 in setup_tile /src/dav1d/src/decode.c:2258:36 #1 0x547bce in dav1d_decode_frame /src/dav1d/src/decode.c:2772:13 #2 0x54e4a2 in dav1d_submit_frame /src/dav1d/src/decode.c:3275:20 #3 0x533012 in dav1d_parse_obus /src/dav1d/src/obu.c:1296:20 #4 0x52fd80 in dav1d_get_picture /src/dav1d/src/lib.c:250:20 #5 0x52bc30 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #6 0x6428da in ExecuteFilesOnyByOne(int, char**) /src/libfuzzer/afl/afl_driver.cpp:301:5 #7 0x642e3e in main /src/libfuzzer/afl/afl_driver.cpp:339:12 #8 0x7f8b301cb82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #9 0x41c588 in _start Address 0x61900000056a is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-afl_dav1d_14dece08e8908088de8b5a0461ecc512e82f4c5d/revisions/dav1d_fuzzer+0x54ba73) Shadow bytes around the buggy address: 0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa 0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right red -
Janne Grunau authored
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/dav1d/src/film_grain_tmpl.c:431:17 in ../../src/dav1d/src/film_grain_tmpl.c:431:17: runtime error: left shift of negative value -128 #0 0x4a504c in apply_to_row_uv /src/dav1d/src/film_grain_tmpl.c:431:17 #1 0x4a1209 in dav1d_apply_grain_8bpc /src/dav1d/src/film_grain_tmpl.c:511:17 #2 0x4319c5 in output_image /src/dav1d/src/lib.c:196:9 #3 0x431609 in dav1d_get_picture /src/dav1d/src/lib.c:264:16 #4 0x42f126 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #5 0x4fc7e8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #6 0x4ece02 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #7 0x4f0a7b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #8 0x4ecb88 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #9 0x7f982d12482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #10 0x405cd8 in _start -
Janne Grunau authored
Exemplary for other test cases with the same origin. ==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5a1ceb in imax /src/dav1d/include/common/intops.h:36:12 #1 0x59e3eb in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:444:32 #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9 #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13 #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13 #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9 #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9 #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25 #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 #10 0x7f4ab65586b9 in start_thread #11 0x7f4ab596341c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 Uninitialized value was stored to memory at #0 0x5a04e8 in boxsum5 /src/dav1d/src/looprestoration_tmpl.c:309:20 #1 0x59e034 in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:428:9 #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9 #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13 #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13 #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9 #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9 #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25 #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 Uninitialized value was stored to memory at #0 0x5a014f in boxsum5 /src/dav1d/src/looprestoration_tmpl.c:291:17 #1 0x59e034 in selfguided_filter /src/dav1d/src/looprestoration_tmpl.c:428:9 #2 0x59ce12 in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:542:9 #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13 #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13 #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9 #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9 #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25 #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 Uninitialized value was stored to memory at #0 0x45f31d in __msan_memcpy.part.51 /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1490 #1 0x59d863 in padding /src/dav1d/src/looprestoration_tmpl.c:98:9 #2 0x59c2cc in selfguided_c /src/dav1d/src/looprestoration_tmpl.c:521:5 #3 0x668746 in lr_stripe /src/dav1d/src/lr_apply_tmpl.c:184:13 #4 0x6675a2 in lr_sbrow /src/dav1d/src/lr_apply_tmpl.c:261:13 #5 0x666326 in dav1d_lr_sbrow_8bpc /src/dav1d/src/lr_apply_tmpl.c:283:9 #6 0x5ca768 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1627:9 #7 0x4d53bf in dav1d_decode_frame /src/dav1d/src/decode.c:2886:25 #8 0x4ab0ad in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #9 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 Uninitialized value was created by a heap allocation #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170 #1 0x4a1109 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x4a0b98 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x4a0613 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12 #4 0x4a1747 in picture_alloc_with_edges /src/dav1d/src/picture.c:130:15 #5 0x4a1fbf in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:169:9 #6 0x4dadf0 in dav1d_submit_frame /src/dav1d/src/decode.c:3093:11 #7 0x4ad5f3 in dav1d_parse_obus /src/dav1d/src/obu.c:1296:20 #8 0x4a7977 in dav1d_get_picture /src/dav1d/src/lib.c:250:20 #9 0x49ff97 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #10 0x6c27fb in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x67a7a6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x68b5ca in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x6798d1 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f4ab587c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
-
- Nov 19, 2018
-
-
Janne Grunau authored
ALARM: working on the last Unit for 25 seconds and the timeout value is 25 (use -timeout=N to change) ==1== ERROR: libFuzzer: timeout after 25 seconds #0 0x42eca3 in __sanitizer_print_stack_trace /src/llvm/projects/compiler-rt/lib/ubsan/ubsan_diag_standalone.cc:29 #1 0x5144d6 in fuzzer::PrintStackTrace() /src/libfuzzer/FuzzerUtil.cpp:206:5 #2 0x4f18e2 in fuzzer::Fuzzer::AlarmCallback() /src/libfuzzer/FuzzerLoop.cpp:301:5 #3 0x7ffb8a77f38f in libpthread.so.0 #4 0x7ffb8a77698c in pthread_join #5 0x431a11 in dav1d_close /src/dav1d/src/lib.c:261:13 #6 0x42f2fa in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:128:5 #7 0x4f3338 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #8 0x4e3952 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #9 0x4e75cb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #10 0x4e36d8 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7ffb89a9982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #12 0x405cd8 in _start custom-crash-state: dav1d_fuzzer_mt SUMMARY: libFuzzer: timeout -
Janne Grunau authored
Probably means the samples are not that interesting anymore though.
-
- Nov 18, 2018
-
-
Janne Grunau authored
==1== ERROR: libFuzzer: timeout after 25 seconds #0 0x42eca3 in __sanitizer_print_stack_trace /src/llvm/projects/compiler-rt/lib/ubsan/ubsan_diag_standalone.cc:29 #1 0x513d56 in fuzzer::PrintStackTrace() /src/libfuzzer/FuzzerUtil.cpp:206:5 #2 0x4f1162 in fuzzer::Fuzzer::AlarmCallback() /src/libfuzzer/FuzzerLoop.cpp:301:5 #3 0x7faf4fdd238f in libpthread.so.0 #4 0x7faf4fdce35f in __pthread_cond_wait #5 0x431661 in dav1d_get_picture /src/dav1d/src/lib.c:192:17 #6 0x42f2a6 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:121:15 #7 0x4f2bb8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #8 0x4e31d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #9 0x4e6e4b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #10 0x4e2f58 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7faf4f0ec82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #12 0x405cd8 in _start custom-crash-state: dav1d_fuzzer_mt SUMMARY: libFuzzer: timeout -
Janne Grunau authored
==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x58e7d4 in iclip /src/dav1d/include/common/intops.h:44:28 #1 0x58be67 in resize_c /src/dav1d/src/mc_tmpl.c:794:22 #2 0x64e401 in backup_lpf /src/dav1d/src/lr_apply_tmpl.c:77:13 #3 0x64dab9 in dav1d_lr_copy_lpf_8bpc /src/dav1d/src/lr_apply_tmpl.c:135:13 #4 0x5c70a6 in dav1d_filter_sbrow_8bpc /src/dav1d/src/recon_tmpl.c:1591:9 #5 0x4d216e in dav1d_decode_frame /src/dav1d/src/decode.c:2824:25 #6 0x4da976 in dav1d_submit_frame /src/dav1d/src/decode.c:3270:20 #7 0x4acaa5 in dav1d_parse_obus /src/dav1d/src/obu.c:1208:20 #8 0x4a7607 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #9 0x49ffb9 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #10 0x6ab0db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x663086 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x673eaa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x6621b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f26f631982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #15 0x41e8e8 in _start Uninitialized value was created by a heap allocation #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170 #1 0x4a1119 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x4a0bb8 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x4a0633 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12 #4 0x4a1734 in picture_alloc_with_edges /src/dav1d/src/picture.c:129:15 #5 0x4a13eb in dav1d_picture_alloc /src/dav1d/src/picture.c:156:12 #6 0x4d873a in dav1d_submit_frame /src/dav1d/src/decode.c:3105:15 #7 0x4acaa5 in dav1d_parse_obus /src/dav1d/src/obu.c:1208:20 #8 0x4a7607 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #9 0x49ffb9 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #10 0x6ab0db in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x663086 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x673eaa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x6621b1 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f26f631982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_3cefbaa25c2c6bbdc887bbe62141145645bd0466/revisions/dav1d_fuzzer+0x58e7d4)
-
- Nov 17, 2018
-
-
Janne Grunau authored
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000052a at pc 0x00000054bfd7 bp 0x7f222a875b90 sp 0x7f222a875b88 WRITE of size 2 at 0x61900000052a thread T4 SCARINESS: 43 (2-byte-write-heap-buffer-overflow-far-from-bounds) #0 0x54bfd6 in setup_tile /src/dav1d/src/decode.c:2257:36 #1 0x547f4d in dav1d_decode_frame /src/dav1d/src/decode.c:2768:13 #2 0x531d5f in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #3 0x7f22316ee6b9 in start_thread #4 0x7f2230af941c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 Address 0x61900000052a is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_14dece08e8908088de8b5a0461ecc512e82f4c5d/revisions/dav1d_fuzzer_mt+0x54bfd6) Shadow bytes around the buggy address: 0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c327fff80a0: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa 0x0c327fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc Thread T4 created by T0 here: #0 0x436c6d in __interceptor_pthread_create _asan_rtl_ #1 0x52f3f5 in dav1d_open /src/dav1d/src/lib.c:134:13 #2 0x52bdf4 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:80:11 #3 0x66a865 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #4 0x64008d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #5 0x64b8d6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #6 0x63f70c in main /src/libfuzzer/FuzzerMain.cpp:20:10 #7 0x7f2230a1282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 -
Janne Grunau authored
==1==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x601684 in iclip /src/dav1d/include/common/intops.h:44:28 #1 0x5fec4d in resize_c /src/dav1d/src/mc_tmpl.c:794:22 #2 0x63b224 in dav1d_filter_sbrow_16bpc /src/dav1d/src/recon_tmpl.c:1620:13 #3 0x4d2bff in dav1d_decode_frame /src/dav1d/src/decode.c:2882:25 #4 0x4aa79d in dav1d_frame_task /src/dav1d/src/thread_task.c:44:9 #5 0x49f1ae in __msan::MsanThread::ThreadStart() /src/llvm/projects/compiler-rt/lib/msan/msan_thread.cc:77 #6 0x7f73351be6b9 in start_thread #7 0x7f73345c941c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 Uninitialized value was created by a heap allocation #0 0x46bd54 in __interceptor_posix_memalign /src/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:170 #1 0x4a1119 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x4a0bb8 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x4a0633 in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12 #4 0x4a1734 in picture_alloc_with_edges /src/dav1d/src/picture.c:129:15 #5 0x4a13eb in dav1d_picture_alloc /src/dav1d/src/picture.c:156:12 #6 0x4d885a in dav1d_submit_frame /src/dav1d/src/decode.c:3105:15 #7 0x4acaa5 in dav1d_parse_obus /src/dav1d/src/obu.c:1208:20 #8 0x4a7607 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #9 0x49ffb9 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #10 0x6ab44b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x6633f6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x67421a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x662521 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f73344e282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 -
Janne Grunau authored
dav1d_fuzzer_mt: ../../src/dav1d/src/ref_mvs.c:523: int_mv gm_get_motion_vector(const WarpedMotionParams *, int, BLOCK_SIZE, int, int, int): Assertion `IMPLIES(1 & (res.as_mv.row | res.as_mv.col), allow_hp)' failed. SUMMARY: UndefinedBehaviorSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x35427) UndefinedBehaviorSanitizer:DEADLYSIGNAL ==1==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x000000000001 (pc 0x7f99938ce428 bp 0x0000005a2f8c sp 0x7f998fc0f968 T7) #0 0x7f99938ce427 in gsignal /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/raise.c:54 #1 0x7f99938d0029 in abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:89 #2 0x7f99938c6bd6 in __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92 #3 0x7f99938c6c81 in __assert_fail /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:101 #4 0x4665ec in gm_get_motion_vector /src/dav1d/src/ref_mvs.c:523:5 #5 0x464398 in av1_find_mv_refs /src/dav1d/src/ref_mvs.c:1631:9 #6 0x463d77 in av1_find_ref_mvs /src/dav1d/src/ref_mvs.c:1961:5 #7 0x44d50b in decode_b /src/dav1d/src/decode.c:1454:13 #8 0x43bfd9 in decode_sb /src/dav1d/src/decode.c:2050:17 #9 0x43b848 in decode_sb /src/dav1d/src/decode.c:1997:21 #10 0x43a5c4 in dav1d_decode_tile_sbrow /src/dav1d/src/decode.c:2458:13 #11 0x4328ce in dav1d_tile_task /src/dav1d/src/thread_task.c:89:29 #12 0x7f99945956b9 in start_thread #13 0x7f99939a041c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 UndefinedBehaviorSanitizer can not provide additional info.
-
- Nov 15, 2018
-
-
Janne Grunau authored
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/dav1d/src/itx_1d.c:42:27 in ../../src/dav1d/src/itx_1d.c:42:27: runtime error: signed integer overflow: -767379 * 2896 cannot be represented in type 'int' #0 0x4a7be0 in inv_dct4_1d /src/dav1d/src/itx_1d.c:42:27 #1 0x4a826f in inv_dct8_1d /src/dav1d/src/itx_1d.c:59:5 #2 0x4a7740 in inv_txfm_add_c /src/dav1d/src/itx_tmpl.c:78:9 #3 0x4a6cda in inv_txfm_add_dct_dct_32x8_c /src/dav1d/src/itx_tmpl.c:137:1 #4 0x4c8156 in dav1d_recon_b_intra_16bpc /src/dav1d/src/recon_tmpl.c:872:29 #5 0x44297a in decode_b /src/dav1d/src/decode.c:711:13 #6 0x43bc0a in decode_sb /src/dav1d/src/decode.c:2077:17 #7 0x43b428 in decode_sb /src/dav1d/src/decode.c:1997:21 #8 0x43b998 in decode_sb /src/dav1d/src/decode.c:2000:21 #9 0x439783 in dav1d_decode_tile_sbrow /src/dav1d/src/decode.c:2269:17 #10 0x4326de in dav1d_tile_task /src/dav1d/src/thread_task.c:89:29 #11 0x7f04dda196b9 in start_thread #12 0x7f04dce2441c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 -
Janne Grunau authored
Not reproducible locally. Error parsing OBU data Error parsing OBU data ================================================================= ==1==ERROR: LeakSanitizer: detected memory leaks Direct leak of 120 byte(s) in 3 object(s) allocated from: #0 0x4eb5ff in malloc _asan_rtl_ #1 0x52e6f7 in dav1d_ref_wrap /src/dav1d/src/ref.c:58:21 #2 0x52cf18 in picture_alloc_with_edges /src/dav1d/src/picture.c:140:20 #3 0x52cb0b in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:162:9 #4 0x54c0f0 in dav1d_submit_frame /src/dav1d/src/decode.c:3018:16 #5 0x532f48 in dav1d_parse_obus /src/dav1d/src/obu.c:1187:20 #6 0x530002 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #7 0x52bfbd in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #8 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #9 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #10 0x648086 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #11 0x63bebc in main /src/libfuzzer/FuzzerMain.cpp:20:10 #12 0x7f281245982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Direct leak of 80 byte(s) in 2 object(s) allocated from: #0 0x4eb5ff in malloc _asan_rtl_ #1 0x52e6f7 in dav1d_ref_wrap /src/dav1d/src/ref.c:58:21 #2 0x52e54c in dav1d_ref_create /src/dav1d/src/ref.c:46:11 #3 0x54c703 in dav1d_submit_frame /src/dav1d/src/decode.c:3057:22 #4 0x532f48 in dav1d_parse_obus /src/dav1d/src/obu.c:1187:20 #5 0x530002 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #6 0x52bfbd in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #7 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #8 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #9 0x648086 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #10 0x63bebc in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7f281245982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x4eb5ff in malloc _asan_rtl_ #1 0x52e6f7 in dav1d_ref_wrap /src/dav1d/src/ref.c:58:21 #2 0x52e54c in dav1d_ref_create /src/dav1d/src/ref.c:46:11 #3 0x52df45 in dav1d_data_create /src/dav1d/src/data.c:44:16 #4 0x52bf0a in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:96:13 #5 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #6 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #7 0x648086 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #8 0x63bebc in main /src/libfuzzer/FuzzerMain.cpp:20:10 #9 0x7f281245982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x4eb5ff in malloc _asan_rtl_ #1 0x52e6f7 in dav1d_ref_wrap /src/dav1d/src/ref.c:58:21 #2 0x52e54c in dav1d_ref_create /src/dav1d/src/ref.c:46:11 #3 0x586909 in dav1d_cdf_thread_alloc /src/dav1d/src/cdf.c:4217:16 #4 0x54bf30 in dav1d_submit_frame /src/dav1d/src/decode.c:3008:9 #5 0x532f48 in dav1d_parse_obus /src/dav1d/src/obu.c:1187:20 #6 0x530002 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #7 0x52bfbd in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #8 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #9 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #10 0x648086 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #11 0x63bebc in main /src/libfuzzer/FuzzerMain.cpp:20:10 #12 0x7f281245982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Indirect leak of 4423680 byte(s) in 3 object(s) allocated from: #0 0x4ec488 in __interceptor_posix_memalign _asan_rtl_ #1 0x52c94d in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x52c6a3 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x52c39d in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12 #4 0x52ce75 in picture_alloc_with_edges /src/dav1d/src/picture.c:130:15 #5 0x52cb0b in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:162:9 #6 0x54c0f0 in dav1d_submit_frame /src/dav1d/src/decode.c:3018:16 #7 0x532f48 in dav1d_parse_obus /src/dav1d/src/obu.c:1187:20 #8 0x530002 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #9 0x52bfbd in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #10 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x648086 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x63bebc in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7f281245982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Indirect leak of 1474560 byte(s) in 2 object(s) allocated from: #0 0x4ec488 in __interceptor_posix_memalign _asan_rtl_ #1 0x52e62d in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x52e532 in dav1d_ref_create /src/dav1d/src/ref.c:41:18 #3 0x54c703 in dav1d_submit_frame /src/dav1d/src/decode.c:3057:22 #4 0x532f48 in dav1d_parse_obus /src/dav1d/src/obu.c:1187:20 #5 0x530002 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #6 0x52bfbd in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #7 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #8 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #9 0x648086 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #10 0x63bebc in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7f281245982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Indirect leak of 221233 byte(s) in 1 object(s) allocated from: #0 0x4ec488 in __interceptor_posix_memalign _asan_rtl_ #1 0x52e62d in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x52e532 in dav1d_ref_create /src/dav1d/src/ref.c:41:18 #3 0x52df45 in dav1d_data_create /src/dav1d/src/data.c:44:16 #4 0x52bf0a in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:96:13 #5 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #6 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #7 0x648086 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #8 0x63bebc in main /src/libfuzzer/FuzzerMain.cpp:20:10 #9 0x7f281245982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Indirect leak of 20824 byte(s) in 1 object(s) allocated from: #0 0x4ec488 in __interceptor_posix_memalign _asan_rtl_ #1 0x52e62d in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x52e532 in dav1d_ref_create /src/dav1d/src/ref.c:41:18 #3 0x586909 in dav1d_cdf_thread_alloc /src/dav1d/src/cdf.c:4217:16 #4 0x54bf30 in dav1d_submit_frame /src/dav1d/src/decode.c:3008:9 #5 0x532f48 in dav1d_parse_obus /src/dav1d/src/obu.c:1187:20 #6 0x530002 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #7 0x52bfbd in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #8 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #9 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #10 0x648086 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #11 0x63bebc in main /src/libfuzzer/FuzzerMain.cpp:20:10 #12 0x7f281245982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Indirect leak of 168 byte(s) in 3 object(s) allocated from: #0 0x4eb5ff in malloc _asan_rtl_ #1 0x52cd26 in picture_alloc_with_edges /src/dav1d/src/picture.c:117:39 #2 0x52cb0b in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:162:9 #3 0x54c0f0 in dav1d_submit_frame /src/dav1d/src/decode.c:3018:16 #4 0x532f48 in dav1d_parse_obus /src/dav1d/src/obu.c:1187:20 #5 0x530002 in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #6 0x52bfbd in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #7 0x667015 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #8 0x63c83d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/Fuzz -
Janne Grunau authored
dav1d_fuzzer: ../../src/dav1d/src/obu.c:1152: int dav1d_parse_obus(Dav1dContext *const, Dav1dData *const): Assertion `pkt_bytelen > (bit_pos >> 3)' failed. UndefinedBehaviorSanitizer:DEADLYSIGNAL ==1==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x000000000001 (pc 0x7f7f2ba65428 bp 0x000000590251 sp 0x7fff937837a8 T1) #0 0x7f7f2ba65427 in gsignal /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/raise.c:54 #1 0x7f7f2ba67029 in abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:89 #2 0x7f7f2ba5dbd6 in __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92 #3 0x7f7f2ba5dc81 in __assert_fail /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:101 #4 0x433bd8 in dav1d_parse_obus /src/dav1d/src/obu.c:1152:9 #5 0x43148b in dav1d_get_picture /src/dav1d/src/lib.c:214:20 #6 0x42f154 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:107:19 #7 0x4effd8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #8 0x4e05f2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #9 0x4e426b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #10 0x4e0378 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #11 0x7f7f2ba5082f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 #12 0x405cd8 in _start UndefinedBehaviorSanitizer can not provide additional info.
-
- Nov 14, 2018
-
-
Janne Grunau authored
-
Janne Grunau authored
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdbf6c30500 at pc 0x0000004ea22d bp 0x7fdbf7d95090 sp 0x7fdbf7d94840 READ of size 2 at 0x7fdbf6c30500 thread T6 SCARINESS: 24 (2-byte-read-heap-buffer-overflow-far-from-bounds) #0 0x4ea22c in __asan_memcpy _asan_rtl_ #1 0x5bd6a5 in emu_edge_c /src/dav1d/src/mc_tmpl.c:756:9 #2 0x5e236e in warp_affine /src/dav1d/src/recon_tmpl.c:709:17 #3 0x5d8e6f in dav1d_recon_b_inter_8bpc /src/dav1d/src/recon_tmpl.c:1362:23 #4 0x5525ab in decode_b /src/dav1d/src/decode.c:1799:17 #5 0x5417a5 in decode_sb /src/dav1d/src/decode.c:1929:17 #6 0x5414a9 in decode_sb /src/dav1d/src/decode.c:2127:17 #7 0x5414a9 in decode_sb /src/dav1d/src/decode.c:2127:17 #8 0x54159c in decode_sb /src/dav1d/src/decode.c:2129:17 #9 0x5401b9 in dav1d_decode_tile_sbrow /src/dav1d/src/decode.c:2382:13 #10 0x531de0 in dav1d_tile_task /src/dav1d/src/thread_task.c:89:29 #11 0x7fdbffd216b9 in start_thread #12 0x7fdbff12c41c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x7fdbf6c30500 is located 3328 bytes to the right of 196608-byte region [0x7fdbf6bff800,0x7fdbf6c2f800) allocated by thread T0 here: #0 0x4ec488 in __interceptor_posix_memalign _asan_rtl_ #1 0x52c8cd in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x52c623 in default_picture_allocator /src/dav1d/src/picture.c:59:21 #3 0x52c31d in fuzz_picture_allocator /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:49:12 #4 0x52cdf5 in picture_alloc_with_edges /src/dav1d/src/picture.c:130:15 #5 0x52ca8b in dav1d_thread_picture_alloc /src/dav1d/src/picture.c:162:9 #6 0x54ba79 in dav1d_submit_frame /src/dav1d/src/decode.c:2991:16 #7 0x532e08 in dav1d_parse_obus /src/dav1d/src/obu.c:1127:20 #8 0x52fbd2 in dav1d_decode /src/dav1d/src/lib.c:201:20 #9 0x52bf38 in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:101:19 #10 0x665e95 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #11 0x63b6bd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #12 0x646f06 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #13 0x63ad3c in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7fdbff04582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Thread T6 created by T0 here: #0 0x436c6d in __interceptor_pthread_create _asan_rtl_ #1 0x52f051 in dav1d_open /src/dav1d/src/lib.c:126:17 #2 0x52bddc in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:80:11 #3 0x665e95 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #4 0x63b6bd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #5 0x646f06 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #6 0x63ad3c in main /src/libfuzzer/FuzzerMain.cpp:20:10 #7 0x7fdbff04582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_14dece08e8908088de8b5a0461ecc512e82f4c5d/revisions/dav1d_fuzzer_mt+0x4ea22c) Shadow bytes around the buggy address: 0x0ffbfed7e050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ffbfed7e0a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffbfed7e0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc -
Janne Grunau authored
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../src/dav1d/src/mc_tmpl.c:406:26 in ../../src/dav1d/src/mc_tmpl.c:406:26: runtime error: shift exponent -6 is negative #0 0x4b6b4c in put_bilin_scaled_c /src/dav1d/src/mc_tmpl.c:406:26 #1 0x4cf619 in mc /src/dav1d/src/recon_tmpl.c:587:13 #2 0x4cac1f in dav1d_recon_b_inter_16bpc /src/dav1d/src/recon_tmpl.c:1171:19 #3 0x4432bb in decode_b /src/dav1d/src/decode.c:738:17 #4 0x43afcb in decode_sb /src/dav1d/src/decode.c:2002:17 #5 0x43a9f6 in decode_sb /src/dav1d/src/decode.c:2127:17 #6 0x439413 in dav1d_decode_tile_sbrow /src/dav1d/src/decode.c:2242:17 #7 0x43246e in dav1d_tile_task /src/dav1d/src/thread_task.c:89:29 #8 0x7f6930c356b9 in start_thread #9 0x7f693004041c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 -
https://crbug.com/oss-fuzz/11378Janne Grunau authored
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd4b7623080 at pc 0x000000602d9e bp 0x7fd4b36ee330 sp 0x7fd4b36ee328 READ of size 2 at 0x7fd4b7623080 thread T6 SCARINESS: 24 (2-byte-read-heap-buffer-overflow-far-from-bounds) #0 0x602d9d in put_8tap_scaled_c /src/dav1d/src/mc_tmpl.c:166:31 #1 0x5fc0cf in put_8tap_sharp_scaled_c /src/dav1d/src/mc_tmpl.c:331:1 #2 0x624667 in mc /src/dav1d/src/recon_tmpl.c:587:13 #3 0x61c53d in dav1d_recon_b_inter_16bpc /src/dav1d/src/recon_tmpl.c:1171:19 #4 0x550902 in decode_b /src/dav1d/src/decode.c:738:17 #5 0x541532 in decode_sb /src/dav1d/src/decode.c:2133:17 #6 0x541161 in decode_sb /src/dav1d/src/decode.c:1890:16 #7 0x53edfd in dav1d_decode_tile_sbrow /src/dav1d/src/decode.c:2242:17 #8 0x531de0 in dav1d_tile_task /src/dav1d/src/thread_task.c:89:29 #9 0x7fd4bb66a6b9 in start_thread #10 0x7fd4baa7541c in clone /build/glibc-Cl5G7W/glibc-2.23/sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x7fd4b7623080 is located 1920 bytes to the left of 168320-byte region [0x7fd4b7623800,0x7fd4b764c980) allocated by thread T0 here: #0 0x4ec488 in __interceptor_posix_memalign _asan_rtl_ #1 0x52f9c8 in dav1d_alloc_aligned /src/dav1d/include/common/mem.h:46:9 #2 0x52ef75 in dav1d_open /src/dav1d/src/lib.c:120:17 #3 0x52bddc in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:80:11 #4 0x665e95 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #5 0x63b6bd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #6 0x646f06 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #7 0x63ad3c in main /src/libfuzzer/FuzzerMain.cpp:20:10 #8 0x7fd4ba98e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 Thread T6 created by T0 here: #0 0x436c6d in __interceptor_pthread_create _asan_rtl_ #1 0x52f051 in dav1d_open /src/dav1d/src/lib.c:126:17 #2 0x52bddc in LLVMFuzzerTestOneInput /src/dav1d/tests/libfuzzer/dav1d_fuzzer.c:80:11 #3 0x665e95 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:571:15 #4 0x63b6bd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6 #5 0x646f06 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9 #6 0x63ad3c in main /src/libfuzzer/FuzzerMain.cpp:20:10 #7 0x7fd4ba98e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_dav1d_14dece08e8908088de8b5a0461ecc512e82f4c5d/revisions/dav1d_fuzzer_mt+0x602d9d) Shadow bytes around the buggy address: 0x0ffb16ebc5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0ffb16ebc610:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ffb16ebc660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc
-
- Nov 13, 2018
-
-
Janne Grunau authored
Commented test cases takes almost or more than 30 seconds with ubsan and without asm.
-
