oss-fuzz: heap-use-after-free in dav1d_ref_dec() src/ref.c
Reproduced with commit e0a05e5e
Steps to reproduce:
- build dav1d with AddressSanitizer (-fsanitize=address)
- replay testcase with
./dav1d_fuzzer clusterfuzz-testcase-minimized-dav1d_fuzzer-5708722911838208
clusterfuzz-testcase-minimized-dav1d_fuzzer-5708722911838208
==1==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000004590 at pc 0x0000005c1f8d bp 0x7ffec8ca9130 sp 0x7ffec8ca9128
WRITE of size 4 at 0x615000004590 thread T0
SCARINESS: 46 (4-byte-write-heap-use-after-free)
#0 0x5c1f8c in dav1d_ref_dec src/ref.c:76:9
#1 0x5def0a in dav1d_submit_frame src/decode.c:3079:9
#2 0x5c69dc in dav1d_parse_obus src/obu.c:1137:20
#3 0x5c33a2 in dav1d_decode src/lib.c:201:20
#4 0x5bf977 in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:101:19
#5 0x55ab25 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#6 0x530a2d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#7 0x53c276 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#8 0x5300ac in main /src/libfuzzer/FuzzerMain.cpp:20:10
#9 0x7f9adf4a482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
#10 0x41ccd8 in _start
0x615000004590 is located 16 bytes inside of 40-byte region [0x615000004580,0x6150000045a8)
freed by thread T0 here:
#0 0x4eb640 in __interceptor_free _asan_rtl_
#1 0x5dbb08 in dav1d_decode_frame src/decode.c:2776:9
#2 0x5e013a in dav1d_submit_frame src/decode.c:3040:20
#3 0x5c69dc in dav1d_parse_obus src/obu.c:1137:20
#4 0x5c33a2 in dav1d_decode src/lib.c:201:20
#5 0x5bf977 in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:101:19
#6 0x55ab25 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#7 0x530a2d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#8 0x53c276 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#9 0x5300ac in main /src/libfuzzer/FuzzerMain.cpp:20:10
#10 0x7f9adf4a482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
previously allocated by thread T0 here:
#0 0x4eba0f in malloc _asan_rtl_
#1 0x5c1d07 in dav1d_ref_wrap src/ref.c:58:21
#2 0x5c1b5c in dav1d_ref_create src/ref.c:46:11
#3 0x5df262 in dav1d_submit_frame src/decode.c:2935:22
#4 0x5c69dc in dav1d_parse_obus src/obu.c:1137:20
#5 0x5c33a2 in dav1d_decode src/lib.c:201:20
#6 0x5bf977 in LLVMFuzzerTestOneInput tests/libfuzzer/dav1d_fuzzer.c:101:19
#7 0x55ab25 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
#8 0x530a2d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
#9 0x53c276 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:713:9
#10 0x5300ac in main /src/libfuzzer/FuzzerMain.cpp:20:10
#11 0x7f9adf4a482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291