Skip to content

Always the set the Dav1dRef pointer to zero

Janne Grunau requested to merge janne/dav1d:fuzz into master

Under certain error conditions (frame allocation errors) the reference count of a stale mvs_ref reference was decreased. This results in a heap-use-after-free in dav1d_close() with clusterfuzz-testcase-minimized-dav1d_fuzzer-5736270563639296. Credits to oss-fuzz.

Edited by Janne Grunau

Merge request reports

Loading