[FFmpeg-devel] [PATCH 5/6] tools/target_dec_fuzzer: Use av_buffer_allocz() to avoid missing slices to have unpredictable content

Michael Niedermayer michael at niedermayer.cc
Thu Aug 15 00:13:24 EEST 2024


On Mon, Aug 12, 2024 at 09:02:00PM +0200, Michael Niedermayer wrote:
> On Sat, Aug 10, 2024 at 12:34:16PM -0300, James Almer wrote:
> > On 8/9/2024 5:09 PM, Michael Niedermayer wrote:
> > > Hi
> > > 
> > > On Fri, Aug 09, 2024 at 03:56:42AM +0200, Kacper Michajlow wrote:
> > > > On Fri, 9 Aug 2024 at 00:06, Michael Niedermayer <michael at niedermayer.cc> wrote:
> > > > > 
> > > > > On Thu, Aug 08, 2024 at 02:13:12PM -0300, James Almer wrote:
> > > [...]
> > > > > If decoders are fed with uninitialized buffers thats a
> > > > > security issue because there are thousands if not ten thousands of
> > > > > pathes if you consider the number of decoders and the number
> > > > > of ways they can hit errors
> > > > 
> > > > Clearing those buffers in fuzzers does not alleviate this security
> > > > issue, as they may still be uninitialized in production code.
> > > 
> > > The decoders in production clear the buffers. The fuzzer does not
> > > so the issues it shows dont exist in production
> > > 
> > > look yourself in get_buffer.c
> > > 
> > >                  pool->pools[i] = av_buffer_pool_init(size[i] + 16 + STRIDE_ALIGN - 1,
> > >                                                       CONFIG_MEMORY_POISONING ?
> > >                                                          NULL :
> > >                                                          av_buffer_allocz);
> > > its av_buffer_allocz
> > 
> > I disagree. That's from avcodec_default_get_buffer2(). What about DR1
> > decoders where the caller is using their own avctx.get_buffer2() callback?
> > Nothing in the documentation says that the buffers must be zeroed.
> > 
> > I wrote the function you just changed with the intention of finding issues a
> > library user could trigger, which included allocating buffers exactly as big
> > as needed (with no extra padding) and not zeroing it, using lavu helpers
> > like the get_buffer2() documentation states.
> > 
> > This change here makes half of that moot, and is hiding potential bugs in
> > the form of use of uninitialized memory in our decoders.
> 
> we have several sanitizers, msan is just one of them
> outside msan, using uninitialized buffers is only having one effect and that
> is it makes things less reproducable
> 
> using uninitialized buffers is a security issue. Its a secuirty issue
> because many of our decoders pass uninitialized data through on errors.
> An attacker uploads a file with error and gets a encoded file back, that
> encoded file now contains what was in the memory of these uninitialized buffers
> An attacker is not supposed to be able to read your memory like that
> 
> we have 481 DR1 decoders. For the use for uninitialized buffers to be safe
> you need to have every error path on every of these decoders to clean every bit of
> the buffer that was not initialized.
> This is not how you design secure software
> Design that needs "every" multiplied by "every" to do a specific thing is bad security
> 
> noone volunteered to make all the decoders handle uninitialized buffers
> Simply making these issues appear in ossfuzz doesnt fix them
> 
> IMHO
> If someone wants to work on uninitialized buffer support and fixes, perfectly
> fine with me. What i do not agree to is the attempt to force the already very
> busy people to work on and fix these issues when a simply "memset()" avoids
> the whole issue
> 
> Again, on one hand one memset() on the other 481 DR1 decoders that clear the right
> bits of the buffer on EVERY error path.
> 
> Thats like strlcpy() vs strcpy() with no bugs on any use. We know which of this
> is a bad idea. Why is it here something we argue about ?
> because DR1 doesnt document that the buffer contents can leak through (which
> really is what it should say not "you must clear it")
> Its good enough if the user app ensures the buffer contains no sensitive data
> 
> and no matter how hard we try to fix all decoders so they never leak something
> thorugh. we should still say the custom buffers should not contain sensitive
> data, so iam not sure but i dont think we disagree here or do we ?
> 
> thx

Also if someone wants to look at decoders passing uninitialized data thorugh
here are a few

70836
    #0 0x567ec5e29ae1 in ff_add_png_paeth_prediction /src/ffmpeg/libavcodec/pngdec.c:236:22
    #1 0x567ec5e2a96f in ff_png_filter_row /src/ffmpeg/libavcodec/pngdec.c:330:17
    #2 0x567ec5de85ca in handle_row /src/ffmpeg/libavcodec/lscrdec.c:71:5
    #3 0x567ec5de85ca in decode_idat /src/ffmpeg/libavcodec/lscrdec.c:97:17
    #4 0x567ec5de85ca in decode_frame_lscr /src/ffmpeg/libavcodec/lscrdec.c:193:19
    #5 0x567ec5dca27b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #6 0x567ec5dca27b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #7 0x567ec5dca27b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #8 0x567ec5dc97e3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #9 0x567ec5db72bc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #10 0x567ec5cb0a20 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #11 0x567ec5c9b1b4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #12 0x567ec5ca0c4a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #13 0x567ec5ccd042 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7dd57860d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #15 0x567ec5c91c8d in _start
  Uninitialized value was created by a heap allocation
    #0 0x567ec5d53603 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x567ec6564b48 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x567ec6517df2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x567ec5db9c46 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x567ec5db9c46 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x567ec5dd54b0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x567ec5dd6707 in reget_buffer_internal /src/ffmpeg/libavcodec/decode.c:1661:16
    #7 0x567ec5dd6707 in ff_reget_buffer /src/ffmpeg/libavcodec/decode.c:1686:15
    #8 0x567ec5de6cd9 in decode_frame_lscr /src/ffmpeg/libavcodec/lscrdec.c:130:11
    #9 0x567ec5dca27b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #10 0x567ec5dca27b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #11 0x567ec5dca27b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #12 0x567ec5dc97e3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #13 0x567ec5db72bc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #14 0x567ec5cb0a20 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #15 0x567ec5c9b1b4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #16 0x567ec5ca0c4a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #17 0x567ec5ccd042 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #18 0x7dd57860d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

70838 (i already fixed this one)
    #0 0x593ba893f86c in add_left_pred_c /src/ffmpeg/libavcodec/lossless_videodsp.c:80:5
    #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9
    #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #12 0x593ba83d6bcd in _start
  Uninitialized value was stored to memory at
    #0 0x593ba893f6c6 in add_left_pred_c /src/ffmpeg/libavcodec/lossless_videodsp.c:69:16
    #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9
    #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was stored to memory at
    #0 0x593ba893f70b in add_left_pred_c /src/ffmpeg/libavcodec/lossless_videodsp.c:72:16
    #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9
    #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was stored to memory at
    #0 0x593ba893f6c6 in add_left_pred_c /src/ffmpeg/libavcodec/lossless_videodsp.c:69:16
    #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9
    #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was created by a heap allocation
    #0 0x593ba8498543 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x593ba8c904c8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x593ba8c44ac2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x593ba84feb86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x593ba84feb86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x593ba851a3f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x593ba8560d57 in decode_frame /src/ffmpeg/libavcodec/mvha.c:170:20
    #7 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #8 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #9 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #10 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #11 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #12 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #13 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #14 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #15 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #16 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

70848
    #0 0x59d52678fcd5 in av_clip_c /src/ffmpeg/libavutil/common.h:183:14
    #1 0x59d52678fcd5 in filter181 /src/ffmpeg/libavcodec/error_resilience.c:125:19
    #2 0x59d52678fcd5 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1281:5
    #3 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5
    #4 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c:1802:19
    #5 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #6 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #7 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #8 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #9 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #10 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #11 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #12 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #13 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #15 0x59d525fd947d in _start
  Uninitialized value was stored to memory at
    #0 0x59d52678dad2 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1255:59
    #1 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5
    #2 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c:1802:19
    #3 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #4 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #5 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #6 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #7 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #8 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #9 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #10 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #11 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was stored to memory at
    #0 0x59d5265f7d5d in put_pixels8_8_c /src/ffmpeg/libavcodec/pel_template.c:78:1
    #1 0x59d5265f7d5d in put_pixels16_8_c /src/ffmpeg/libavcodec/pel_template.c:78:1
    #2 0x59d5266b6455 in mpeg_motion_internal /src/ffmpeg/libavcodec/mpegvideo_motion.c:205:5
    #3 0x59d5266b6455 in mpeg_motion /src/ffmpeg/libavcodec/mpegvideo_motion.c:232:9
    #4 0x59d5266b3606 in mpv_motion_internal /src/ffmpeg/libavcodec/mpegvideo_motion.c:0
    #5 0x59d5266b3606 in ff_mpv_motion /src/ffmpeg/libavcodec/mpegvideo_motion.c:0
    #6 0x59d526697988 in mpv_reconstruct_mb_internal /src/ffmpeg/libavcodec/mpv_reconstruct_mb_template.c:147:21
    #7 0x59d526697988 in ff_mpv_reconstruct_mb /src/ffmpeg/libavcodec/mpegvideo_dec.c:930:13
    #8 0x59d5267925c1 in guess_mv /src/ffmpeg/libavcodec/error_resilience.c:456:17
    #9 0x59d52678d549 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1224:9
    #10 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5
    #11 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c:1802:19
    #12 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #13 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #14 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #15 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #16 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #17 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #18 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #19 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #20 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #21 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was created by a heap allocation
    #0 0x59d52609adf3 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x59d526982dc8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x59d5269373c2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x59d526101436 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x59d526101436 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x59d52611cca0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x59d526175c29 in thread_get_buffer_internal /src/ffmpeg/libavcodec/pthread_frame.c:969:16
    #7 0x59d526175c29 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthread_frame.c:988:15
    #8 0x59d526690078 in alloc_picture /src/ffmpeg/libavcodec/mpegvideo_dec.c:234:15
    #9 0x59d525fcc4a2 in alloc_dummy_frame /src/ffmpeg/libavcodec/mpegvideo_dec.c:271:15
    #10 0x59d52668ed1c in ff_mpv_alloc_dummy_frames /src/ffmpeg/libavcodec/mpegvideo_dec.c:318:15
    #11 0x59d52668f9ae in ff_mpv_frame_start /src/ffmpeg/libavcodec/mpegvideo_dec.c:384:11
    #12 0x59d526702afc in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c:1706:13
    #13 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #14 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #15 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #16 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #17 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #18 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #19 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #20 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #21 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #22 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #0 0x57ffd5699628 in loop_filter /src/ffmpeg/libavcodec/vp9dsp_template.c:1796:38
    #1 0x57ffd5699628 in loop_filter_v_8_8_c /src/ffmpeg/libavcodec/vp9dsp_template.c:1906:1
    #2 0x57ffd5721d2c in filter_plane_rows /src/ffmpeg/libavcodec/vp9lpf.c:0:25
    #3 0x57ffd5721d2c in ff_vp9_loopfilter_sb /src/ffmpeg/libavcodec/vp9lpf.c:201:9
    #4 0x57ffd55d64a8 in decode_tiles /src/ffmpeg/libavcodec/vp9.c:1372:21
    #5 0x57ffd55d64a8 in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1716:19
    #6 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #7 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #8 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #9 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #10 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #11 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #12 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #13 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #14 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #16 0x57ffd53f3fcd in _start
  Uninitialized value was created by a heap allocation
    #0 0x57ffd54b5943 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x57ffd5f209e8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x57ffd5ed4fe2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x57ffd551bf86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x57ffd551bf86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x57ffd55377f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x57ffd5590779 in thread_get_buffer_internal /src/ffmpeg/libavcodec/pthread_frame.c:969:16
    #7 0x57ffd5590779 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthread_frame.c:988:15
    #8 0x57ffd5538d8a in ff_progress_frame_get_buffer /src/ffmpeg/libavcodec/decode.c:1725:11
    #9 0x57ffd55d19fb in vp9_frame_alloc /src/ffmpeg/libavcodec/vp9.c:110:11
    #10 0x57ffd55d19fb in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1588:16
    #11 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #12 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #13 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #14 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #15 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #16 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #17 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #18 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #19 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #20 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

70858
    #0 0x57ffd5699628 in loop_filter /src/ffmpeg/libavcodec/vp9dsp_template.c:1796:38
    #1 0x57ffd5699628 in loop_filter_v_8_8_c /src/ffmpeg/libavcodec/vp9dsp_template.c:1906:1
    #2 0x57ffd5721d2c in filter_plane_rows /src/ffmpeg/libavcodec/vp9lpf.c:0:25
    #3 0x57ffd5721d2c in ff_vp9_loopfilter_sb /src/ffmpeg/libavcodec/vp9lpf.c:201:9
    #4 0x57ffd55d64a8 in decode_tiles /src/ffmpeg/libavcodec/vp9.c:1372:21
    #5 0x57ffd55d64a8 in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1716:19
    #6 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #7 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #8 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #9 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #10 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #11 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #12 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #13 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #14 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #16 0x57ffd53f3fcd in _start
  Uninitialized value was created by a heap allocation
    #0 0x57ffd54b5943 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x57ffd5f209e8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x57ffd5ed4fe2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x57ffd551bf86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x57ffd551bf86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x57ffd55377f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x57ffd5590779 in thread_get_buffer_internal /src/ffmpeg/libavcodec/pthread_frame.c:969:16
    #7 0x57ffd5590779 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthread_frame.c:988:15
    #8 0x57ffd5538d8a in ff_progress_frame_get_buffer /src/ffmpeg/libavcodec/decode.c:1725:11
    #9 0x57ffd55d19fb in vp9_frame_alloc /src/ffmpeg/libavcodec/vp9.c:110:11
    #10 0x57ffd55d19fb in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1588:16
    #11 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #12 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #13 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #14 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #15 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #16 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #17 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #18 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #19 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #20 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

70870
  #0 0x5c9ac4ef5b92 in av_clip_c /src/ffmpeg/libavutil/common.h:183:14
    #1 0x5c9ac4ef5b92 in filter181 /src/ffmpeg/libavcodec/error_resilience.c:109:19
    #2 0x5c9ac4ef5b92 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1281:5
    #3 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740:9
    #4 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2198:23
    #5 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec.c:2546:11
    #6 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #7 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #8 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #9 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #10 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #11 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #12 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #13 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #14 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #16 0x5c9ac4a4b83d in _start
  Uninitialized value was stored to memory at
    #0 0x5c9ac4ef39a2 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1255:59
    #1 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740:9
    #2 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2198:23
    #3 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec.c:2546:11
    #4 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #5 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #6 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #7 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #8 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #9 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #10 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #11 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #12 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #13 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was stored to memory at
    #0 0x5c9ac500cb9c in put_pixels8_8_c /src/ffmpeg/libavcodec/pel_template.c:78:1
    #1 0x5c9ac500cb9c in put_pixels16_8_c /src/ffmpeg/libavcodec/pel_template.c:78:1
    #2 0x5c9ac4c2f170 in mpeg_motion_internal /src/ffmpeg/libavcodec/mpegvideo_motion.c:205:5
    #3 0x5c9ac4c2f170 in mpeg_motion /src/ffmpeg/libavcodec/mpegvideo_motion.c:227:9
    #4 0x5c9ac4c2bc46 in mpv_motion_internal /src/ffmpeg/libavcodec/mpegvideo_motion.c:0
    #5 0x5c9ac4c2bc46 in ff_mpv_motion /src/ffmpeg/libavcodec/mpegvideo_motion.c:0
    #6 0x5c9ac4c0cc7e in mpv_reconstruct_mb_internal /src/ffmpeg/libavcodec/mpv_reconstruct_mb_template.c:147:21
    #7 0x5c9ac4c0cc7e in ff_mpv_reconstruct_mb /src/ffmpeg/libavcodec/mpegvideo_dec.c:928:13
    #8 0x5c9ac4ef8491 in guess_mv /src/ffmpeg/libavcodec/error_resilience.c:456:17
    #9 0x5c9ac4ef3419 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1224:9
    #10 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740:9
    #11 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2198:23
    #12 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec.c:2546:11
    #13 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #14 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #15 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #16 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #17 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #18 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #19 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #20 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #21 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #22 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was created by a heap allocation
    #0 0x5c9ac4b0d1b3 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x5c9ac5326e38 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x5c9ac52db432 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x5c9ac4b737f6 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x5c9ac4b737f6 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x5c9ac4b8f060 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x5c9ac4c44829 in thread_get_buffer_internal /src/ffmpeg/libavcodec/pthread_frame.c:969:16
    #7 0x5c9ac4c44829 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthread_frame.c:988:15
    #8 0x5c9ac4c086b8 in alloc_picture /src/ffmpeg/libavcodec/mpegvideo_dec.c:234:15
    #9 0x5c9ac4a3604b in alloc_dummy_frame /src/ffmpeg/libavcodec/mpegvideo_dec.c:271:15
    #10 0x5c9ac4c0735c in ff_mpv_alloc_dummy_frames /src/ffmpeg/libavcodec/mpegvideo_dec.c:318:15
    #11 0x5c9ac4c07fee in ff_mpv_frame_start /src/ffmpeg/libavcodec/mpegvideo_dec.c:384:11
    #12 0x5c9ac4beb6b8 in mpeg_field_start /src/ffmpeg/libavcodec/mpeg12dec.c:1268:20
    #13 0x5c9ac4be18f2 in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2446:32
    #14 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec.c:2546:11
    #15 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #16 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #17 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #18 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #19 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #20 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #21 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #22 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #23 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10

70928
=6524==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x5c2c3d950a9b in run_postproc /src/ffmpeg/libavcodec/dds.c:483:21
    #1 0x5c2c3d94acc0 in dds_decode /src/ffmpeg/libavcodec/dds.c:711:9
    #2 0x5c2c3d9529db in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x5c2c3d9529db in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x5c2c3d9529db in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x5c2c3d951f43 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x5c2c3d93624c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x5c2c3d82f9b0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x5c2c3d81a144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x5c2c3d81fbda in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x5c2c3d84bfd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7ce16e94d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #12 0x5c2c3d810c1d in _start
  Uninitialized value was created by a heap allocation
    #0 0x5c2c3d8d2593 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x5c2c3e0d2798 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x5c2c3e086d92 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x5c2c3d938bd6 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x5c2c3d938bd6 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x5c2c3d95dc10 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x5c2c3d949f58 in dds_decode /src/ffmpeg/libavcodec/dds.c:618:11
    #7 0x5c2c3d9529db in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #8 0x5c2c3d9529db in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #9 0x5c2c3d9529db in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #10 0x5c2c3d951f43 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #11 0x5c2c3d93624c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #12 0x5c2c3d82f9b0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #13 0x5c2c3d81a144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #14 0x5c2c3d81fbda in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #15 0x5c2c3d84bfd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #16 0x7ce16e94d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16


Ohh and maybe also all these that ossfuzz stuffed into a unrelated adpcm issue they look suspicously related to the
issues above.

Use-of-uninitialized-value Mon, Aug 12, 2024, 4:22 PM 	Project ffmpeg Platform linux Reliably reproduces Security
decode_format80
vqa_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Mon, Aug 12, 2024, 7:42 AM 	Project ffmpeg Platform linux Reliably reproduces Security
imc_decode_frame
decode_receive_frame_internal
avcodec_send_packet
Issue 70618
Use-of-uninitialized-value Sun, Aug 11, 2024, 11:30 AM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
vp3_v_loop_filter_8_c
apply_loop_filter
vp3_decode_frame
Issue 70618
Use-of-uninitialized-value Sun, Aug 11, 2024, 4:31 AM 	Project ffmpeg Platform linux Reliably reproduces Security
decompress_p3
decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Sat, Aug 10, 2024, 2:00 AM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
decode_nal_units
hevc_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Fri, Aug 9, 2024, 5:19 PM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
vp3_h_loop_filter_8_c
apply_loop_filter
vp3_decode_frame
Issue 70618
Use-of-uninitialized-value Fri, Aug 9, 2024, 12:48 PM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
ff_vp3dsp_h_loop_filter_12
vp3_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Fri, Aug 9, 2024, 3:57 AM 	Project ffmpeg Platform linux Reliably reproduces Security
ff_dsd2pcm_translate
decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Thu, Aug 8, 2024, 7:35 PM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
rv30_loop_filter
ff_rv34_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Thu, Aug 8, 2024, 2:46 PM 	Project ffmpeg Platform linux Reliably reproduces Security
decode_frame
decode_receive_frame_internal
ff_decode_receive_frame
Issue 70618
Use-of-uninitialized-value Thu, Aug 8, 2024, 4:42 AM 	Project ffmpeg Platform linux Reliably reproduces Security
rv30_loop_filter
rv34_decode_slice
ff_rv34_decode_frame
Issue 71025
Use-of-uninitialized-value Thu, Aug 8, 2024, 4:13 AM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
loop_filter_h_4_8_c
ff_vp9_loopfilter_sb
vp9_decode_frame
Issue 70618
Use-of-uninitialized-value Thu, Aug 8, 2024, 3:03 AM 	Project ffmpeg Platform linux Reliably reproduces Security
decompress_p
decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Wed, Aug 7, 2024, 11:55 PM 	Project ffmpeg Platform linux Reliably reproduces Security
ff_h274_apply_film_grain
decode_nal_units
hevc_decode_frame
Issue 71021
Use-of-uninitialized-value Wed, Aug 7, 2024, 4:03 AM 	Project ffmpeg Platform linux Reliably reproduces Security
add_median_pred_c
decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Tue, Aug 6, 2024, 9:37 PM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
ff_er_frame_end
ff_h263_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Sat, Aug 3, 2024, 6:52 PM 	Project ffmpeg Platform linux Reliably reproduces Security
tgq_decode_frame
decode_receive_frame_internal
avcodec_send_packet
Issue 70618
Use-of-uninitialized-value Sat, Aug 3, 2024, 4:18 PM 	Project ffmpeg Platform linux Reliably reproduces Security
guess_mv
ff_er_frame_end
vc1_decode_frame
Issue 70926
Use-of-uninitialized-value Fri, Aug 2, 2024, 11:31 AM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
mp_decode_frame
decode_receive_frame_internal
avcodec_send_packet
Issue 70618
Use-of-uninitialized-value Fri, Aug 2, 2024, 1:19 AM 	Project ffmpeg Platform linux Reliably reproduces Security
decode_frame
decode_receive_frame_internal
avcodec_send_packet
Issue 70618
Use-of-uninitialized-value Thu, Aug 1, 2024, 2:33 PM 	Project ffmpeg Platform linux Reliably reproduces Security
loop_filter_v_8_8_c
ff_vp9_loopfilter_sb
vp9_decode_frame
Issue 70858
Use-of-uninitialized-value Thu, Aug 1, 2024, 7:57 AM 	Project ffmpeg Platform linux Reliably reproduces Security
ff_er_frame_end
finish_frame
ff_rv34_decode_frame
Issue 70848
Use-of-uninitialized-value Thu, Aug 1, 2024, 2:27 AM 	Project ffmpeg Platform linux Reliably reproduces Security
add_left_pred_c
decode_frame
decode_receive_frame_internal
Issue 70838
Use-of-uninitialized-value Wed, Jul 31, 2024, 11:08 PM 	Project ffmpeg Platform linux Reliably reproduces Security
ff_add_png_paeth_prediction
ff_png_filter_row
decode_frame_lscr
Issue 70836

thx

[...]


-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is dangerous to be right in matters on which the established authorities
are wrong. -- Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240814/9ceec793/attachment.sig>


More information about the ffmpeg-devel mailing list