From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id BC1A047CF3 for ; Wed, 14 Aug 2024 21:13:35 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2D98C68DA2D; Thu, 15 Aug 2024 00:13:33 +0300 (EEST) Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4B7DD68D855 for ; Thu, 15 Aug 2024 00:13:26 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 90BB8FF802 for ; Wed, 14 Aug 2024 21:13:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1723670005; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Er62xVS78WthZH5AXZMoBsIfbTmBa/SvH5AB8X/Y/q0=; b=LQyjsNW3yCIbZKQetmxwdk4HSEf1IRTb6O9WKsnZS9+ooMup+rvMI7mupnxcua3GoMSd9e ucf0OiVoYffN2+6Gv1mqmOZlEBOd7MNCgDuUoDkE0rAxxV0QA/ypk+AsGYA75V2xwMTJuF zi9DUDVo0RU+FT99w0ME7e/jGIgwGC+nzExRQKiNzW9A96QWP/X07kLTNIaqDd4SBVn1Nd Waqs2FZuEhlwWZfhJ8S5r2Wiit/1beBZwADM5LGXKa0Mw+SF4sR8G6fI+/PydV7QDLRTMj RLMnURtpNvHuepbtI2oUTehC1QNFZFBypZWc3SdbVEa3wwkTtbtyAOhgK5Eafw== Date: Wed, 14 Aug 2024 23:13:24 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240814211324.GX4991@pb2> References: <20240806221853.959177-1-michael@niedermayer.cc> <20240806221853.959177-5-michael@niedermayer.cc> <79221741-358b-4c9a-9782-51799f2eb416@gmail.com> <20240808212701.GC4991@pb2> <20240809200904.GD4991@pb2> <0bc7bbda-7cc1-428a-9ee8-6749212d6e27@gmail.com> <20240812190200.GM4991@pb2> MIME-Version: 1.0 In-Reply-To: <20240812190200.GM4991@pb2> X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 5/6] tools/target_dec_fuzzer: Use av_buffer_allocz() to avoid missing slices to have unpredictable content X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============1231868603553868050==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============1231868603553868050== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="opPAX5Xc6j4THLmW" Content-Disposition: inline --opPAX5Xc6j4THLmW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 12, 2024 at 09:02:00PM +0200, Michael Niedermayer wrote: > On Sat, Aug 10, 2024 at 12:34:16PM -0300, James Almer wrote: > > On 8/9/2024 5:09 PM, Michael Niedermayer wrote: > > > Hi > > >=20 > > > On Fri, Aug 09, 2024 at 03:56:42AM +0200, Kacper Michajlow wrote: > > > > On Fri, 9 Aug 2024 at 00:06, Michael Niedermayer wrote: > > > > >=20 > > > > > On Thu, Aug 08, 2024 at 02:13:12PM -0300, James Almer wrote: > > > [...] > > > > > If decoders are fed with uninitialized buffers thats a > > > > > security issue because there are thousands if not ten thousands of > > > > > pathes if you consider the number of decoders and the number > > > > > of ways they can hit errors > > > >=20 > > > > Clearing those buffers in fuzzers does not alleviate this security > > > > issue, as they may still be uninitialized in production code. > > >=20 > > > The decoders in production clear the buffers. The fuzzer does not > > > so the issues it shows dont exist in production > > >=20 > > > look yourself in get_buffer.c > > >=20 > > > pool->pools[i] =3D av_buffer_pool_init(size[i] + 16 = + STRIDE_ALIGN - 1, > > > CONFIG_MEMORY_P= OISONING ? > > > NULL : > > > av_buffer_al= locz); > > > its av_buffer_allocz > >=20 > > I disagree. That's from avcodec_default_get_buffer2(). What about DR1 > > decoders where the caller is using their own avctx.get_buffer2() callba= ck? > > Nothing in the documentation says that the buffers must be zeroed. > >=20 > > I wrote the function you just changed with the intention of finding iss= ues a > > library user could trigger, which included allocating buffers exactly a= s big > > as needed (with no extra padding) and not zeroing it, using lavu helpers > > like the get_buffer2() documentation states. > >=20 > > This change here makes half of that moot, and is hiding potential bugs = in > > the form of use of uninitialized memory in our decoders. >=20 > we have several sanitizers, msan is just one of them > outside msan, using uninitialized buffers is only having one effect and t= hat > is it makes things less reproducable >=20 > using uninitialized buffers is a security issue. Its a secuirty issue > because many of our decoders pass uninitialized data through on errors. > An attacker uploads a file with error and gets a encoded file back, that > encoded file now contains what was in the memory of these uninitialized b= uffers > An attacker is not supposed to be able to read your memory like that >=20 > we have 481 DR1 decoders. For the use for uninitialized buffers to be safe > you need to have every error path on every of these decoders to clean eve= ry bit of > the buffer that was not initialized. > This is not how you design secure software > Design that needs "every" multiplied by "every" to do a specific thing is= bad security >=20 > noone volunteered to make all the decoders handle uninitialized buffers > Simply making these issues appear in ossfuzz doesnt fix them >=20 > IMHO > If someone wants to work on uninitialized buffer support and fixes, perfe= ctly > fine with me. What i do not agree to is the attempt to force the already = very > busy people to work on and fix these issues when a simply "memset()" avoi= ds > the whole issue >=20 > Again, on one hand one memset() on the other 481 DR1 decoders that clear = the right > bits of the buffer on EVERY error path. >=20 > Thats like strlcpy() vs strcpy() with no bugs on any use. We know which o= f this > is a bad idea. Why is it here something we argue about ? > because DR1 doesnt document that the buffer contents can leak through (wh= ich > really is what it should say not "you must clear it") > Its good enough if the user app ensures the buffer contains no sensitive = data >=20 > and no matter how hard we try to fix all decoders so they never leak some= thing > thorugh. we should still say the custom buffers should not contain sensit= ive > data, so iam not sure but i dont think we disagree here or do we ? >=20 > thx Also if someone wants to look at decoders passing uninitialized data thorugh here are a few 70836 #0 0x567ec5e29ae1 in ff_add_png_paeth_prediction /src/ffmpeg/libavcodec= /pngdec.c:236:22 #1 0x567ec5e2a96f in ff_png_filter_row /src/ffmpeg/libavcodec/pngdec.c:= 330:17 #2 0x567ec5de85ca in handle_row /src/ffmpeg/libavcodec/lscrdec.c:71:5 #3 0x567ec5de85ca in decode_idat /src/ffmpeg/libavcodec/lscrdec.c:97:17 #4 0x567ec5de85ca in decode_frame_lscr /src/ffmpeg/libavcodec/lscrdec.c= :193:19 #5 0x567ec5dca27b in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #6 0x567ec5dca27b in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #7 0x567ec5dca27b in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #8 0x567ec5dc97e3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #9 0x567ec5db72bc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #10 0x567ec5cb0a20 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #11 0x567ec5c9b1b4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #12 0x567ec5ca0c4a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #13 0x567ec5ccd042 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #14 0x7dd57860d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #15 0x567ec5c91c8d in _start Uninitialized value was created by a heap allocation #0 0x567ec5d53603 in ___interceptor_posix_memalign /src/llvm-project/co= mpiler-rt/lib/msan/msan_interceptors.cpp:162:3 #1 0x567ec6564b48 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x567ec6517df2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:= 12 #3 0x567ec5db9c46 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec= _fuzzer.c:132:25 #4 0x567ec5db9c46 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzz= er.c:153:18 #5 0x567ec5dd54b0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621= :11 #6 0x567ec5dd6707 in reget_buffer_internal /src/ffmpeg/libavcodec/decod= e.c:1661:16 #7 0x567ec5dd6707 in ff_reget_buffer /src/ffmpeg/libavcodec/decode.c:16= 86:15 #8 0x567ec5de6cd9 in decode_frame_lscr /src/ffmpeg/libavcodec/lscrdec.c= :130:11 #9 0x567ec5dca27b in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #10 0x567ec5dca27b in decode_simple_receive_frame /src/ffmpeg/libavcode= c/decode.c:600:15 #11 0x567ec5dca27b in decode_receive_frame_internal /src/ffmpeg/libavco= dec/decode.c:631:15 #12 0x567ec5dc97e3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #13 0x567ec5db72bc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #14 0x567ec5cb0a20 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #15 0x567ec5c9b1b4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #16 0x567ec5ca0c4a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #17 0x567ec5ccd042 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #18 0x7dd57860d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 70838 (i already fixed this one) #0 0x593ba893f86c in add_left_pred_c /src/ffmpeg/libavcodec/lossless_vi= deodsp.c:80:5 #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9 #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char cons= t*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:= 614:13 #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, u= nsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327= :6 #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsign= ed char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fu= zzerDriver.cpp:862:9 #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #12 0x593ba83d6bcd in _start Uninitialized value was stored to memory at #0 0x593ba893f6c6 in add_left_pred_c /src/ffmpeg/libavcodec/lossless_vi= deodsp.c:69:16 #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9 #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char cons= t*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:= 614:13 #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, u= nsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327= :6 #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsign= ed char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fu= zzerDriver.cpp:862:9 #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 Uninitialized value was stored to memory at #0 0x593ba893f70b in add_left_pred_c /src/ffmpeg/libavcodec/lossless_vi= deodsp.c:72:16 #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9 #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char cons= t*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:= 614:13 #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, u= nsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327= :6 #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsign= ed char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fu= zzerDriver.cpp:862:9 #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 Uninitialized value was stored to memory at #0 0x593ba893f6c6 in add_left_pred_c /src/ffmpeg/libavcodec/lossless_vi= deodsp.c:69:16 #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9 #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char cons= t*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:= 614:13 #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, u= nsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327= :6 #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsign= ed char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fu= zzerDriver.cpp:862:9 #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 Uninitialized value was created by a heap allocation #0 0x593ba8498543 in ___interceptor_posix_memalign /src/llvm-project/co= mpiler-rt/lib/msan/msan_interceptors.cpp:162:3 #1 0x593ba8c904c8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x593ba8c44ac2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:= 12 #3 0x593ba84feb86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec= _fuzzer.c:132:25 #4 0x593ba84feb86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzz= er.c:153:18 #5 0x593ba851a3f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621= :11 #6 0x593ba8560d57 in decode_frame /src/ffmpeg/libavcodec/mvha.c:170:20 #7 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #8 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #9 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #10 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #11 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #12 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #13 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #14 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #15 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #16 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 70848 #0 0x59d52678fcd5 in av_clip_c /src/ffmpeg/libavutil/common.h:183:14 #1 0x59d52678fcd5 in filter181 /src/ffmpeg/libavcodec/error_resilience.= c:125:19 #2 0x59d52678fcd5 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resil= ience.c:1281:5 #3 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5 #4 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c= :1802:19 #5 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #6 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #7 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #8 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #9 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #10 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #11 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #12 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #13 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #14 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #15 0x59d525fd947d in _start Uninitialized value was stored to memory at #0 0x59d52678dad2 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resil= ience.c:1255:59 #1 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5 #2 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c= :1802:19 #3 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #4 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #5 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #6 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #7 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #8 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char cons= t*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:= 614:13 #9 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, u= nsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327= :6 #10 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #11 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #12 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 Uninitialized value was stored to memory at #0 0x59d5265f7d5d in put_pixels8_8_c /src/ffmpeg/libavcodec/pel_templat= e.c:78:1 #1 0x59d5265f7d5d in put_pixels16_8_c /src/ffmpeg/libavcodec/pel_templa= te.c:78:1 #2 0x59d5266b6455 in mpeg_motion_internal /src/ffmpeg/libavcodec/mpegvi= deo_motion.c:205:5 #3 0x59d5266b6455 in mpeg_motion /src/ffmpeg/libavcodec/mpegvideo_motio= n.c:232:9 #4 0x59d5266b3606 in mpv_motion_internal /src/ffmpeg/libavcodec/mpegvid= eo_motion.c:0 #5 0x59d5266b3606 in ff_mpv_motion /src/ffmpeg/libavcodec/mpegvideo_mot= ion.c:0 #6 0x59d526697988 in mpv_reconstruct_mb_internal /src/ffmpeg/libavcodec= /mpv_reconstruct_mb_template.c:147:21 #7 0x59d526697988 in ff_mpv_reconstruct_mb /src/ffmpeg/libavcodec/mpegv= ideo_dec.c:930:13 #8 0x59d5267925c1 in guess_mv /src/ffmpeg/libavcodec/error_resilience.c= :456:17 #9 0x59d52678d549 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resil= ience.c:1224:9 #10 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5 #11 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.= c:1802:19 #12 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/dec= ode.c:429:20 #13 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcode= c/decode.c:600:15 #14 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavco= dec/decode.c:631:15 #15 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #16 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #17 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #18 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #19 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #20 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #21 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 Uninitialized value was created by a heap allocation #0 0x59d52609adf3 in ___interceptor_posix_memalign /src/llvm-project/co= mpiler-rt/lib/msan/msan_interceptors.cpp:162:3 #1 0x59d526982dc8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x59d5269373c2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:= 12 #3 0x59d526101436 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec= _fuzzer.c:132:25 #4 0x59d526101436 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzz= er.c:153:18 #5 0x59d52611cca0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621= :11 #6 0x59d526175c29 in thread_get_buffer_internal /src/ffmpeg/libavcodec/= pthread_frame.c:969:16 #7 0x59d526175c29 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthrea= d_frame.c:988:15 #8 0x59d526690078 in alloc_picture /src/ffmpeg/libavcodec/mpegvideo_dec= =2Ec:234:15 #9 0x59d525fcc4a2 in alloc_dummy_frame /src/ffmpeg/libavcodec/mpegvideo= _dec.c:271:15 #10 0x59d52668ed1c in ff_mpv_alloc_dummy_frames /src/ffmpeg/libavcodec/= mpegvideo_dec.c:318:15 #11 0x59d52668f9ae in ff_mpv_frame_start /src/ffmpeg/libavcodec/mpegvid= eo_dec.c:384:11 #12 0x59d526702afc in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.= c:1706:13 #13 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/dec= ode.c:429:20 #14 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcode= c/decode.c:600:15 #15 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavco= dec/decode.c:631:15 #16 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #17 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #18 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #19 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #20 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #21 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #22 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #0 0x57ffd5699628 in loop_filter /src/ffmpeg/libavcodec/vp9dsp_template= =2Ec:1796:38 #1 0x57ffd5699628 in loop_filter_v_8_8_c /src/ffmpeg/libavcodec/vp9dsp_= template.c:1906:1 #2 0x57ffd5721d2c in filter_plane_rows /src/ffmpeg/libavcodec/vp9lpf.c:= 0:25 #3 0x57ffd5721d2c in ff_vp9_loopfilter_sb /src/ffmpeg/libavcodec/vp9lpf= =2Ec:201:9 #4 0x57ffd55d64a8 in decode_tiles /src/ffmpeg/libavcodec/vp9.c:1372:21 #5 0x57ffd55d64a8 in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1716= :19 #6 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #7 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #8 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #9 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #10 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #11 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #12 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #13 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #14 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #15 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #16 0x57ffd53f3fcd in _start Uninitialized value was created by a heap allocation #0 0x57ffd54b5943 in ___interceptor_posix_memalign /src/llvm-project/co= mpiler-rt/lib/msan/msan_interceptors.cpp:162:3 #1 0x57ffd5f209e8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x57ffd5ed4fe2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:= 12 #3 0x57ffd551bf86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec= _fuzzer.c:132:25 #4 0x57ffd551bf86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzz= er.c:153:18 #5 0x57ffd55377f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621= :11 #6 0x57ffd5590779 in thread_get_buffer_internal /src/ffmpeg/libavcodec/= pthread_frame.c:969:16 #7 0x57ffd5590779 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthrea= d_frame.c:988:15 #8 0x57ffd5538d8a in ff_progress_frame_get_buffer /src/ffmpeg/libavcode= c/decode.c:1725:11 #9 0x57ffd55d19fb in vp9_frame_alloc /src/ffmpeg/libavcodec/vp9.c:110:11 #10 0x57ffd55d19fb in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:158= 8:16 #11 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/dec= ode.c:429:20 #12 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcode= c/decode.c:600:15 #13 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavco= dec/decode.c:631:15 #14 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #15 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #16 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #17 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #18 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #19 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #20 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 70858 #0 0x57ffd5699628 in loop_filter /src/ffmpeg/libavcodec/vp9dsp_template= =2Ec:1796:38 #1 0x57ffd5699628 in loop_filter_v_8_8_c /src/ffmpeg/libavcodec/vp9dsp_= template.c:1906:1 #2 0x57ffd5721d2c in filter_plane_rows /src/ffmpeg/libavcodec/vp9lpf.c:= 0:25 #3 0x57ffd5721d2c in ff_vp9_loopfilter_sb /src/ffmpeg/libavcodec/vp9lpf= =2Ec:201:9 #4 0x57ffd55d64a8 in decode_tiles /src/ffmpeg/libavcodec/vp9.c:1372:21 #5 0x57ffd55d64a8 in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1716= :19 #6 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #7 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #8 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #9 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #10 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #11 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #12 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #13 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #14 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #15 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #16 0x57ffd53f3fcd in _start Uninitialized value was created by a heap allocation #0 0x57ffd54b5943 in ___interceptor_posix_memalign /src/llvm-project/co= mpiler-rt/lib/msan/msan_interceptors.cpp:162:3 #1 0x57ffd5f209e8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x57ffd5ed4fe2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:= 12 #3 0x57ffd551bf86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec= _fuzzer.c:132:25 #4 0x57ffd551bf86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzz= er.c:153:18 #5 0x57ffd55377f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621= :11 #6 0x57ffd5590779 in thread_get_buffer_internal /src/ffmpeg/libavcodec/= pthread_frame.c:969:16 #7 0x57ffd5590779 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthrea= d_frame.c:988:15 #8 0x57ffd5538d8a in ff_progress_frame_get_buffer /src/ffmpeg/libavcode= c/decode.c:1725:11 #9 0x57ffd55d19fb in vp9_frame_alloc /src/ffmpeg/libavcodec/vp9.c:110:11 #10 0x57ffd55d19fb in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:158= 8:16 #11 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/dec= ode.c:429:20 #12 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcode= c/decode.c:600:15 #13 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavco= dec/decode.c:631:15 #14 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #15 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #16 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #17 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #18 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #19 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #20 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 70870 #0 0x5c9ac4ef5b92 in av_clip_c /src/ffmpeg/libavutil/common.h:183:14 #1 0x5c9ac4ef5b92 in filter181 /src/ffmpeg/libavcodec/error_resilience.= c:109:19 #2 0x5c9ac4ef5b92 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resil= ience.c:1281:5 #3 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740:9 #4 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2= 198:23 #5 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec= =2Ec:2546:11 #6 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #7 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #8 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #9 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #10 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #11 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #12 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #13 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #14 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #15 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #16 0x5c9ac4a4b83d in _start Uninitialized value was stored to memory at #0 0x5c9ac4ef39a2 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resil= ience.c:1255:59 #1 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740:9 #2 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2= 198:23 #3 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec= =2Ec:2546:11 #4 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #5 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #6 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #7 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #8 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #9 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char cons= t*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:= 614:13 #10 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #11 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #12 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #13 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 Uninitialized value was stored to memory at #0 0x5c9ac500cb9c in put_pixels8_8_c /src/ffmpeg/libavcodec/pel_templat= e.c:78:1 #1 0x5c9ac500cb9c in put_pixels16_8_c /src/ffmpeg/libavcodec/pel_templa= te.c:78:1 #2 0x5c9ac4c2f170 in mpeg_motion_internal /src/ffmpeg/libavcodec/mpegvi= deo_motion.c:205:5 #3 0x5c9ac4c2f170 in mpeg_motion /src/ffmpeg/libavcodec/mpegvideo_motio= n.c:227:9 #4 0x5c9ac4c2bc46 in mpv_motion_internal /src/ffmpeg/libavcodec/mpegvid= eo_motion.c:0 #5 0x5c9ac4c2bc46 in ff_mpv_motion /src/ffmpeg/libavcodec/mpegvideo_mot= ion.c:0 #6 0x5c9ac4c0cc7e in mpv_reconstruct_mb_internal /src/ffmpeg/libavcodec= /mpv_reconstruct_mb_template.c:147:21 #7 0x5c9ac4c0cc7e in ff_mpv_reconstruct_mb /src/ffmpeg/libavcodec/mpegv= ideo_dec.c:928:13 #8 0x5c9ac4ef8491 in guess_mv /src/ffmpeg/libavcodec/error_resilience.c= :456:17 #9 0x5c9ac4ef3419 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resil= ience.c:1224:9 #10 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740= :9 #11 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:= 2198:23 #12 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12de= c.c:2546:11 #13 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/dec= ode.c:429:20 #14 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcode= c/decode.c:600:15 #15 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavco= dec/decode.c:631:15 #16 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #17 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #18 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #19 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #20 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #21 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #22 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 Uninitialized value was created by a heap allocation #0 0x5c9ac4b0d1b3 in ___interceptor_posix_memalign /src/llvm-project/co= mpiler-rt/lib/msan/msan_interceptors.cpp:162:3 #1 0x5c9ac5326e38 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x5c9ac52db432 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:= 12 #3 0x5c9ac4b737f6 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec= _fuzzer.c:132:25 #4 0x5c9ac4b737f6 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzz= er.c:153:18 #5 0x5c9ac4b8f060 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621= :11 #6 0x5c9ac4c44829 in thread_get_buffer_internal /src/ffmpeg/libavcodec/= pthread_frame.c:969:16 #7 0x5c9ac4c44829 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthrea= d_frame.c:988:15 #8 0x5c9ac4c086b8 in alloc_picture /src/ffmpeg/libavcodec/mpegvideo_dec= =2Ec:234:15 #9 0x5c9ac4a3604b in alloc_dummy_frame /src/ffmpeg/libavcodec/mpegvideo= _dec.c:271:15 #10 0x5c9ac4c0735c in ff_mpv_alloc_dummy_frames /src/ffmpeg/libavcodec/= mpegvideo_dec.c:318:15 #11 0x5c9ac4c07fee in ff_mpv_frame_start /src/ffmpeg/libavcodec/mpegvid= eo_dec.c:384:11 #12 0x5c9ac4beb6b8 in mpeg_field_start /src/ffmpeg/libavcodec/mpeg12dec= =2Ec:1268:20 #13 0x5c9ac4be18f2 in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:= 2446:32 #14 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12de= c.c:2546:11 #15 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/dec= ode.c:429:20 #16 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcode= c/decode.c:600:15 #17 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavco= dec/decode.c:631:15 #18 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #19 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #20 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #21 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #22 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #23 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 70928 =3D6524=3D=3DWARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5c2c3d950a9b in run_postproc /src/ffmpeg/libavcodec/dds.c:483:21 #1 0x5c2c3d94acc0 in dds_decode /src/ffmpeg/libavcodec/dds.c:711:9 #2 0x5c2c3d9529db in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #3 0x5c2c3d9529db in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #4 0x5c2c3d9529db in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #5 0x5c2c3d951f43 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.= c:721:15 #6 0x5c2c3d93624c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_de= c_fuzzer.c:534:25 #7 0x5c2c3d82f9b0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char cons= t*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:= 614:13 #8 0x5c2c3d81a144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, u= nsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327= :6 #9 0x5c2c3d81fbda in fuzzer::FuzzerDriver(int*, char***, int (*)(unsign= ed char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/Fu= zzerDriver.cpp:862:9 #10 0x5c2c3d84bfd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #11 0x7ce16e94d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 #12 0x5c2c3d810c1d in _start Uninitialized value was created by a heap allocation #0 0x5c2c3d8d2593 in ___interceptor_posix_memalign /src/llvm-project/co= mpiler-rt/lib/msan/msan_interceptors.cpp:162:3 #1 0x5c2c3e0d2798 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9 #2 0x5c2c3e086d92 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:= 12 #3 0x5c2c3d938bd6 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec= _fuzzer.c:132:25 #4 0x5c2c3d938bd6 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzz= er.c:153:18 #5 0x5c2c3d95dc10 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621= :11 #6 0x5c2c3d949f58 in dds_decode /src/ffmpeg/libavcodec/dds.c:618:11 #7 0x5c2c3d9529db in decode_simple_internal /src/ffmpeg/libavcodec/deco= de.c:429:20 #8 0x5c2c3d9529db in decode_simple_receive_frame /src/ffmpeg/libavcodec= /decode.c:600:15 #9 0x5c2c3d9529db in decode_receive_frame_internal /src/ffmpeg/libavcod= ec/decode.c:631:15 #10 0x5c2c3d951f43 in avcodec_send_packet /src/ffmpeg/libavcodec/decode= =2Ec:721:15 #11 0x5c2c3d93624c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_d= ec_fuzzer.c:534:25 #12 0x5c2c3d82f9b0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char con= st*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp= :614:13 #13 0x5c2c3d81a144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, = unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:32= 7:6 #14 0x5c2c3d81fbda in fuzzer::FuzzerDriver(int*, char***, int (*)(unsig= ned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/F= uzzerDriver.cpp:862:9 #15 0x5c2c3d84bfd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/Fuz= zerMain.cpp:20:10 #16 0x7ce16e94d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/= csu/libc-start.c:308:16 Ohh and maybe also all these that ossfuzz stuffed into a unrelated adpcm is= sue they look suspicously related to the issues above. Use-of-uninitialized-value Mon, Aug 12, 2024, 4:22 PM Project ffmpeg Platf= orm linux Reliably reproduces Security decode_format80 vqa_decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Mon, Aug 12, 2024, 7:42 AM Project ffmpeg Platf= orm linux Reliably reproduces Security imc_decode_frame decode_receive_frame_internal avcodec_send_packet Issue 70618 Use-of-uninitialized-value Sun, Aug 11, 2024, 11:30 AM Fixed Project ffmpe= g Platform linux Reliably reproduces Security vp3_v_loop_filter_8_c apply_loop_filter vp3_decode_frame Issue 70618 Use-of-uninitialized-value Sun, Aug 11, 2024, 4:31 AM Project ffmpeg Platf= orm linux Reliably reproduces Security decompress_p3 decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Sat, Aug 10, 2024, 2:00 AM Fixed Project ffmpeg= Platform linux Reliably reproduces Security decode_nal_units hevc_decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Fri, Aug 9, 2024, 5:19 PM Fixed Project ffmpeg = Platform linux Reliably reproduces Security vp3_h_loop_filter_8_c apply_loop_filter vp3_decode_frame Issue 70618 Use-of-uninitialized-value Fri, Aug 9, 2024, 12:48 PM Fixed Project ffmpeg= Platform linux Reliably reproduces Security ff_vp3dsp_h_loop_filter_12 vp3_decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Fri, Aug 9, 2024, 3:57 AM Project ffmpeg Platfo= rm linux Reliably reproduces Security ff_dsd2pcm_translate decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Thu, Aug 8, 2024, 7:35 PM Fixed Project ffmpeg = Platform linux Reliably reproduces Security rv30_loop_filter ff_rv34_decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Thu, Aug 8, 2024, 2:46 PM Project ffmpeg Platfo= rm linux Reliably reproduces Security decode_frame decode_receive_frame_internal ff_decode_receive_frame Issue 70618 Use-of-uninitialized-value Thu, Aug 8, 2024, 4:42 AM Project ffmpeg Platfo= rm linux Reliably reproduces Security rv30_loop_filter rv34_decode_slice ff_rv34_decode_frame Issue 71025 Use-of-uninitialized-value Thu, Aug 8, 2024, 4:13 AM Fixed Project ffmpeg = Platform linux Reliably reproduces Security loop_filter_h_4_8_c ff_vp9_loopfilter_sb vp9_decode_frame Issue 70618 Use-of-uninitialized-value Thu, Aug 8, 2024, 3:03 AM Project ffmpeg Platfo= rm linux Reliably reproduces Security decompress_p decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Wed, Aug 7, 2024, 11:55 PM Project ffmpeg Platf= orm linux Reliably reproduces Security ff_h274_apply_film_grain decode_nal_units hevc_decode_frame Issue 71021 Use-of-uninitialized-value Wed, Aug 7, 2024, 4:03 AM Project ffmpeg Platfo= rm linux Reliably reproduces Security add_median_pred_c decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Tue, Aug 6, 2024, 9:37 PM Fixed Project ffmpeg = Platform linux Reliably reproduces Security ff_er_frame_end ff_h263_decode_frame decode_receive_frame_internal Issue 70618 Use-of-uninitialized-value Sat, Aug 3, 2024, 6:52 PM Project ffmpeg Platfo= rm linux Reliably reproduces Security tgq_decode_frame decode_receive_frame_internal avcodec_send_packet Issue 70618 Use-of-uninitialized-value Sat, Aug 3, 2024, 4:18 PM Project ffmpeg Platfo= rm linux Reliably reproduces Security guess_mv ff_er_frame_end vc1_decode_frame Issue 70926 Use-of-uninitialized-value Fri, Aug 2, 2024, 11:31 AM Fixed Project ffmpeg= Platform linux Reliably reproduces Security mp_decode_frame decode_receive_frame_internal avcodec_send_packet Issue 70618 Use-of-uninitialized-value Fri, Aug 2, 2024, 1:19 AM Project ffmpeg Platfo= rm linux Reliably reproduces Security decode_frame decode_receive_frame_internal avcodec_send_packet Issue 70618 Use-of-uninitialized-value Thu, Aug 1, 2024, 2:33 PM Project ffmpeg Platfo= rm linux Reliably reproduces Security loop_filter_v_8_8_c ff_vp9_loopfilter_sb vp9_decode_frame Issue 70858 Use-of-uninitialized-value Thu, Aug 1, 2024, 7:57 AM Project ffmpeg Platfo= rm linux Reliably reproduces Security ff_er_frame_end finish_frame ff_rv34_decode_frame Issue 70848 Use-of-uninitialized-value Thu, Aug 1, 2024, 2:27 AM Project ffmpeg Platfo= rm linux Reliably reproduces Security add_left_pred_c decode_frame decode_receive_frame_internal Issue 70838 Use-of-uninitialized-value Wed, Jul 31, 2024, 11:08 PM Project ffmpeg Plat= form linux Reliably reproduces Security ff_add_png_paeth_prediction ff_png_filter_row decode_frame_lscr Issue 70836 thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB It is dangerous to be right in matters on which the established authorities are wrong. -- Voltaire --opPAX5Xc6j4THLmW Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZr0d8AAKCRBhHseHBAsP qz3VAJ4sCAwjKQz0odlqq6HUf7YPdZDVqwCdEreBNwUCVS9weSZUYsg0EVTyAYk= =2QFk -----END PGP SIGNATURE----- --opPAX5Xc6j4THLmW-- --===============1231868603553868050== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============1231868603553868050==--