diff mbox series

[FFmpeg-devel,5/6] tools/target_dec_fuzzer: Use av_buffer_allocz() to avoid missing slices to have unpredictable content

Message ID 20240806221853.959177-5-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/6] avformat/segafilm: Set keyframe | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished

Commit Message

Michael Niedermayer Aug. 6, 2024, 10:18 p.m. UTC
Fixes: use of uninitialized values
Fixes: 70885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6F_fuzzer-4610946029387776 (and likely others)

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer Aug. 8, 2024, 5:11 p.m. UTC | #1
On Wed, Aug 07, 2024 at 12:18:52AM +0200, Michael Niedermayer wrote:
> Fixes: use of uninitialized values
> Fixes: 70885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6F_fuzzer-4610946029387776 (and likely others)
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  tools/target_dec_fuzzer.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
James Almer Aug. 8, 2024, 5:13 p.m. UTC | #2
On 8/6/2024 7:18 PM, Michael Niedermayer wrote:
> Fixes: use of uninitialized values
> Fixes: 70885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6F_fuzzer-4610946029387776 (and likely others)
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   tools/target_dec_fuzzer.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> index d2d7e21dac7..794b5b92cc7 100644
> --- a/tools/target_dec_fuzzer.c
> +++ b/tools/target_dec_fuzzer.c
> @@ -129,7 +129,7 @@ static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
>   
>       frame->extended_data = frame->data;
>       for (i = 0; i < 4 && size[i]; i++) {
> -        frame->buf[i] = av_buffer_alloc(size[i]);
> +        frame->buf[i] = av_buffer_allocz(size[i]);
>           if (!frame->buf[i])
>               goto fail;
>           frame->data[i] = frame->buf[i]->data;

Wouldn't this hide actual decoder bugs too?
Michael Niedermayer Aug. 8, 2024, 9:27 p.m. UTC | #3
On Thu, Aug 08, 2024 at 02:13:12PM -0300, James Almer wrote:
> On 8/6/2024 7:18 PM, Michael Niedermayer wrote:
> > Fixes: use of uninitialized values
> > Fixes: 70885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6F_fuzzer-4610946029387776 (and likely others)
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   tools/target_dec_fuzzer.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> > index d2d7e21dac7..794b5b92cc7 100644
> > --- a/tools/target_dec_fuzzer.c
> > +++ b/tools/target_dec_fuzzer.c
> > @@ -129,7 +129,7 @@ static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
> >       frame->extended_data = frame->data;
> >       for (i = 0; i < 4 && size[i]; i++) {
> > -        frame->buf[i] = av_buffer_alloc(size[i]);
> > +        frame->buf[i] = av_buffer_allocz(size[i]);
> >           if (!frame->buf[i])
> >               goto fail;
> >           frame->data[i] = frame->buf[i]->data;
> 
> Wouldn't this hide actual decoder bugs too?

iam not sure i understand what you mean

If decoders are fed with uninitialized buffers thats a
security issue because there are thousands if not ten thousands of
pathes if you consider the number of decoders and the number
of ways they can hit errors
Pathes in which these buffers are not filled completely, so each
of these pathes would then need to clear the right bits of data.
Basically that means implementing error concealment for every decoder.
AND making sure that error concealment code is 100% bugfree and leaves
never a spot uncleaned and never touched something that was not writen to
Security wise this is not possible for production code, its too
fragile (at least with the number of decoders and active maintainers we have)
(you want less code to have to be bugfree for security not more code having
 to be bug free)

Now this is the fuzzer and not production code, ok. And of course is
great to have error concealment in every decoder
But then this leaves the question, who will do this work?
If noone does it then we will accumulate many msan bugs in ossfuzz that we wont
be able to do much with except ignore them.
This would make the fuzzer less efficient and it would confuse people looking
at the issues

Or the short punchy reply maybe is
Produce a volunteer who will fix these bugs before declaring them bugs.
And when doing so consider that we have bugfixes on the mailing list for which we
seem to not even have the man power to review and apply them

so yeah my oppinion is the default should be the simple & easy to maintain way.
If someone declares their decoder to have flawless error concealment (and for some
simple decoders that could be quite simple) these can always be excluded and use
uninitialized buffers in the fuzzer

thx

[...]
Kacper Michajlow Aug. 9, 2024, 1:56 a.m. UTC | #4
On Fri, 9 Aug 2024 at 00:06, Michael Niedermayer <michael@niedermayer.cc> wrote:
>
> On Thu, Aug 08, 2024 at 02:13:12PM -0300, James Almer wrote:
> > On 8/6/2024 7:18 PM, Michael Niedermayer wrote:
> > > Fixes: use of uninitialized values
> > > Fixes: 70885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP6F_fuzzer-4610946029387776 (and likely others)
> > >
> > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > > ---
> > >   tools/target_dec_fuzzer.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> > > index d2d7e21dac7..794b5b92cc7 100644
> > > --- a/tools/target_dec_fuzzer.c
> > > +++ b/tools/target_dec_fuzzer.c
> > > @@ -129,7 +129,7 @@ static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
> > >       frame->extended_data = frame->data;
> > >       for (i = 0; i < 4 && size[i]; i++) {
> > > -        frame->buf[i] = av_buffer_alloc(size[i]);
> > > +        frame->buf[i] = av_buffer_allocz(size[i]);
> > >           if (!frame->buf[i])
> > >               goto fail;
> > >           frame->data[i] = frame->buf[i]->data;
> >
> > Wouldn't this hide actual decoder bugs too?
>
> iam not sure i understand what you mean

In general, clearing buffers before processing makes MSAN less
effective in discovering invalid accesses because they would all
appear valid from its point of view. So, I guess the argument was that
this could hide actual decoder bugs since the buffers are already
initialized by the fuzzing binary itself, which, in theory, is
supposed to emulate the worst-case scenario for a tested decoder.

> If decoders are fed with uninitialized buffers thats a
> security issue because there are thousands if not ten thousands of
> pathes if you consider the number of decoders and the number
> of ways they can hit errors

Clearing those buffers in fuzzers does not alleviate this security
issue, as they may still be uninitialized in production code.

> Pathes in which these buffers are not filled completely, so each
> of these pathes would then need to clear the right bits of data.
> Basically that means implementing error concealment for every decoder.
> AND making sure that error concealment code is 100% bugfree and leaves
> never a spot uncleaned and never touched something that was not writen to

Isn't that the point of uninitialized access checking? I can't speak
to the scale of the problem because I don't know what the issues are.
In principle, you don't have to clear each uninitialized path of the
buffer that may occur due to an error. Instead, you should ensure that
the buffer is not accessed when the error occurs. If decoders rely on
external users to provide zeroed buffers to work correctly, then this
should be documented as an API requirement.

Outputting garbage on errors is acceptable, but if decoders process
uninitialized data internally when errors occur, they are, at best,
non-deterministic...

> Security wise this is not possible for production code, its too
> fragile (at least with the number of decoders and active maintainers we have)
> (you want less code to have to be bugfree for security not more code having
>  to be bug free)
>
> Now this is the fuzzer and not production code, ok. And of course is
> great to have error concealment in every decoder
> But then this leaves the question, who will do this work?
> If noone does it then we will accumulate many msan bugs in ossfuzz that we wont
> be able to do much with except ignore them.
> This would make the fuzzer less efficient and it would confuse people looking
> at the issues

MSAN is not forgiving, and I can imagine that stabilizing it could
take time. However, suppressing the reports will not make it more
efficient. I might not fully understand what you meant, though.

That being said, I think the patch makes sense as a short-term
solution to suppress the bulk of reports and focus on the remaining
ones. However, it would be good to make it clear that, at some point,
it should be reverted. As it stands now, no one will remember why it
was zeroed out, and it could remain that way indefinitely. Perhaps it
should be configurable per decoder.

> Or the short punchy reply maybe is
> Produce a volunteer who will fix these bugs before declaring them bugs.
> And when doing so consider that we have bugfixes on the mailing list for which we
> seem to not even have the man power to review and apply them
>
> so yeah my oppinion is the default should be the simple & easy to maintain way.
> If someone declares their decoder to have flawless error concealment (and for some
> simple decoders that could be quite simple) these can always be excluded and use
> uninitialized buffers in the fuzzer

What is the problem with keeping those reports and letting "someone"
work on their decoder based on reports?

- Kacper
Michael Niedermayer Aug. 9, 2024, 8:09 p.m. UTC | #5
Hi

On Fri, Aug 09, 2024 at 03:56:42AM +0200, Kacper Michajlow wrote:
> On Fri, 9 Aug 2024 at 00:06, Michael Niedermayer <michael@niedermayer.cc> wrote:
> >
> > On Thu, Aug 08, 2024 at 02:13:12PM -0300, James Almer wrote:
[...]
> > If decoders are fed with uninitialized buffers thats a
> > security issue because there are thousands if not ten thousands of
> > pathes if you consider the number of decoders and the number
> > of ways they can hit errors
> 
> Clearing those buffers in fuzzers does not alleviate this security
> issue, as they may still be uninitialized in production code.

The decoders in production clear the buffers. The fuzzer does not
so the issues it shows dont exist in production

look yourself in get_buffer.c

                pool->pools[i] = av_buffer_pool_init(size[i] + 16 + STRIDE_ALIGN - 1,
                                                     CONFIG_MEMORY_POISONING ?
                                                        NULL :
                                                        av_buffer_allocz);
its av_buffer_allocz


[...]
> > Security wise this is not possible for production code, its too
> > fragile (at least with the number of decoders and active maintainers we have)
> > (you want less code to have to be bugfree for security not more code having
> >  to be bug free)
> >
> > Now this is the fuzzer and not production code, ok. And of course is
> > great to have error concealment in every decoder
> > But then this leaves the question, who will do this work?
> > If noone does it then we will accumulate many msan bugs in ossfuzz that we wont
> > be able to do much with except ignore them.
> > This would make the fuzzer less efficient and it would confuse people looking
> > at the issues
> 
> MSAN is not forgiving, and I can imagine that stabilizing it could
> take time.

> However, suppressing the reports will not make it more
> efficient.

It will make it more efficient because then the fuzzer shows only issues
also affecting production and ones someone intends to work on
Otherwise it shows many issues that will distract and confuse


> I might not fully understand what you meant, though.

Yes, i think we misunderstand each other a bit


[...]

> Perhaps it
> should be configurable per decoder.

That is what i suggested, or at least i meant to.
For decoders where someone intends to fix every case where original buffer
data with nothing written into it come through it could make sense to enable
uninitialized input buffers.
Still i have not seen anyone actually want to do that. I certainly dont have the
time for any of the decoders that i maintain. But if someone else wants
i surely dont mind if (s)he turns this on and works on the additional cases for
any decoders that i maintain ...


> 
> > Or the short punchy reply maybe is
> > Produce a volunteer who will fix these bugs before declaring them bugs.
> > And when doing so consider that we have bugfixes on the mailing list for which we
> > seem to not even have the man power to review and apply them
> >
> > so yeah my oppinion is the default should be the simple & easy to maintain way.
> > If someone declares their decoder to have flawless error concealment (and for some
> > simple decoders that could be quite simple) these can always be excluded and use
> > uninitialized buffers in the fuzzer
> 
> What is the problem with keeping those reports and letting "someone"
> work on their decoder based on reports?

ossfuzz is the problem,
these issues are not seperate/segregated nor do i see a way ossfuzz could
seperate them but again ATM we have noone intending to work on this so
this patch solves it.

thx

[...]
James Almer Aug. 10, 2024, 3:34 p.m. UTC | #6
On 8/9/2024 5:09 PM, Michael Niedermayer wrote:
> Hi
> 
> On Fri, Aug 09, 2024 at 03:56:42AM +0200, Kacper Michajlow wrote:
>> On Fri, 9 Aug 2024 at 00:06, Michael Niedermayer <michael@niedermayer.cc> wrote:
>>>
>>> On Thu, Aug 08, 2024 at 02:13:12PM -0300, James Almer wrote:
> [...]
>>> If decoders are fed with uninitialized buffers thats a
>>> security issue because there are thousands if not ten thousands of
>>> pathes if you consider the number of decoders and the number
>>> of ways they can hit errors
>>
>> Clearing those buffers in fuzzers does not alleviate this security
>> issue, as they may still be uninitialized in production code.
> 
> The decoders in production clear the buffers. The fuzzer does not
> so the issues it shows dont exist in production
> 
> look yourself in get_buffer.c
> 
>                  pool->pools[i] = av_buffer_pool_init(size[i] + 16 + STRIDE_ALIGN - 1,
>                                                       CONFIG_MEMORY_POISONING ?
>                                                          NULL :
>                                                          av_buffer_allocz);
> its av_buffer_allocz

I disagree. That's from avcodec_default_get_buffer2(). What about DR1 
decoders where the caller is using their own avctx.get_buffer2() 
callback? Nothing in the documentation says that the buffers must be zeroed.

I wrote the function you just changed with the intention of finding 
issues a library user could trigger, which included allocating buffers 
exactly as big as needed (with no extra padding) and not zeroing it, 
using lavu helpers like the get_buffer2() documentation states.

This change here makes half of that moot, and is hiding potential bugs 
in the form of use of uninitialized memory in our decoders.

> 
> 
> [...]
>>> Security wise this is not possible for production code, its too
>>> fragile (at least with the number of decoders and active maintainers we have)
>>> (you want less code to have to be bugfree for security not more code having
>>>   to be bug free)
>>>
>>> Now this is the fuzzer and not production code, ok. And of course is
>>> great to have error concealment in every decoder
>>> But then this leaves the question, who will do this work?
>>> If noone does it then we will accumulate many msan bugs in ossfuzz that we wont
>>> be able to do much with except ignore them.
>>> This would make the fuzzer less efficient and it would confuse people looking
>>> at the issues
>>
>> MSAN is not forgiving, and I can imagine that stabilizing it could
>> take time.
> 
>> However, suppressing the reports will not make it more
>> efficient.
> 
> It will make it more efficient because then the fuzzer shows only issues
> also affecting production and ones someone intends to work on
> Otherwise it shows many issues that will distract and confuse
> 
> 
>> I might not fully understand what you meant, though.
> 
> Yes, i think we misunderstand each other a bit
> 
> 
> [...]
> 
>> Perhaps it
>> should be configurable per decoder.
> 
> That is what i suggested, or at least i meant to.
> For decoders where someone intends to fix every case where original buffer
> data with nothing written into it come through it could make sense to enable
> uninitialized input buffers.
> Still i have not seen anyone actually want to do that. I certainly dont have the
> time for any of the decoders that i maintain. But if someone else wants
> i surely dont mind if (s)he turns this on and works on the additional cases for
> any decoders that i maintain ...
> 
> 
>>
>>> Or the short punchy reply maybe is
>>> Produce a volunteer who will fix these bugs before declaring them bugs.
>>> And when doing so consider that we have bugfixes on the mailing list for which we
>>> seem to not even have the man power to review and apply them
>>>
>>> so yeah my oppinion is the default should be the simple & easy to maintain way.
>>> If someone declares their decoder to have flawless error concealment (and for some
>>> simple decoders that could be quite simple) these can always be excluded and use
>>> uninitialized buffers in the fuzzer
>>
>> What is the problem with keeping those reports and letting "someone"
>> work on their decoder based on reports?
> 
> ossfuzz is the problem,
> these issues are not seperate/segregated nor do i see a way ossfuzz could
> seperate them but again ATM we have noone intending to work on this so
> this patch solves it.
> 
> thx
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Aug. 12, 2024, 7:02 p.m. UTC | #7
On Sat, Aug 10, 2024 at 12:34:16PM -0300, James Almer wrote:
> On 8/9/2024 5:09 PM, Michael Niedermayer wrote:
> > Hi
> > 
> > On Fri, Aug 09, 2024 at 03:56:42AM +0200, Kacper Michajlow wrote:
> > > On Fri, 9 Aug 2024 at 00:06, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > > > 
> > > > On Thu, Aug 08, 2024 at 02:13:12PM -0300, James Almer wrote:
> > [...]
> > > > If decoders are fed with uninitialized buffers thats a
> > > > security issue because there are thousands if not ten thousands of
> > > > pathes if you consider the number of decoders and the number
> > > > of ways they can hit errors
> > > 
> > > Clearing those buffers in fuzzers does not alleviate this security
> > > issue, as they may still be uninitialized in production code.
> > 
> > The decoders in production clear the buffers. The fuzzer does not
> > so the issues it shows dont exist in production
> > 
> > look yourself in get_buffer.c
> > 
> >                  pool->pools[i] = av_buffer_pool_init(size[i] + 16 + STRIDE_ALIGN - 1,
> >                                                       CONFIG_MEMORY_POISONING ?
> >                                                          NULL :
> >                                                          av_buffer_allocz);
> > its av_buffer_allocz
> 
> I disagree. That's from avcodec_default_get_buffer2(). What about DR1
> decoders where the caller is using their own avctx.get_buffer2() callback?
> Nothing in the documentation says that the buffers must be zeroed.
> 
> I wrote the function you just changed with the intention of finding issues a
> library user could trigger, which included allocating buffers exactly as big
> as needed (with no extra padding) and not zeroing it, using lavu helpers
> like the get_buffer2() documentation states.
> 
> This change here makes half of that moot, and is hiding potential bugs in
> the form of use of uninitialized memory in our decoders.

we have several sanitizers, msan is just one of them
outside msan, using uninitialized buffers is only having one effect and that
is it makes things less reproducable

using uninitialized buffers is a security issue. Its a secuirty issue
because many of our decoders pass uninitialized data through on errors.
An attacker uploads a file with error and gets a encoded file back, that
encoded file now contains what was in the memory of these uninitialized buffers
An attacker is not supposed to be able to read your memory like that

we have 481 DR1 decoders. For the use for uninitialized buffers to be safe
you need to have every error path on every of these decoders to clean every bit of
the buffer that was not initialized.
This is not how you design secure software
Design that needs "every" multiplied by "every" to do a specific thing is bad security

noone volunteered to make all the decoders handle uninitialized buffers
Simply making these issues appear in ossfuzz doesnt fix them

IMHO
If someone wants to work on uninitialized buffer support and fixes, perfectly
fine with me. What i do not agree to is the attempt to force the already very
busy people to work on and fix these issues when a simply "memset()" avoids
the whole issue

Again, on one hand one memset() on the other 481 DR1 decoders that clear the right
bits of the buffer on EVERY error path.

Thats like strlcpy() vs strcpy() with no bugs on any use. We know which of this
is a bad idea. Why is it here something we argue about ?
because DR1 doesnt document that the buffer contents can leak through (which
really is what it should say not "you must clear it")
Its good enough if the user app ensures the buffer contains no sensitive data

and no matter how hard we try to fix all decoders so they never leak something
thorugh. we should still say the custom buffers should not contain sensitive
data, so iam not sure but i dont think we disagree here or do we ?

thx

[...]
Michael Niedermayer Aug. 14, 2024, 9:13 p.m. UTC | #8
On Mon, Aug 12, 2024 at 09:02:00PM +0200, Michael Niedermayer wrote:
> On Sat, Aug 10, 2024 at 12:34:16PM -0300, James Almer wrote:
> > On 8/9/2024 5:09 PM, Michael Niedermayer wrote:
> > > Hi
> > > 
> > > On Fri, Aug 09, 2024 at 03:56:42AM +0200, Kacper Michajlow wrote:
> > > > On Fri, 9 Aug 2024 at 00:06, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > > > > 
> > > > > On Thu, Aug 08, 2024 at 02:13:12PM -0300, James Almer wrote:
> > > [...]
> > > > > If decoders are fed with uninitialized buffers thats a
> > > > > security issue because there are thousands if not ten thousands of
> > > > > pathes if you consider the number of decoders and the number
> > > > > of ways they can hit errors
> > > > 
> > > > Clearing those buffers in fuzzers does not alleviate this security
> > > > issue, as they may still be uninitialized in production code.
> > > 
> > > The decoders in production clear the buffers. The fuzzer does not
> > > so the issues it shows dont exist in production
> > > 
> > > look yourself in get_buffer.c
> > > 
> > >                  pool->pools[i] = av_buffer_pool_init(size[i] + 16 + STRIDE_ALIGN - 1,
> > >                                                       CONFIG_MEMORY_POISONING ?
> > >                                                          NULL :
> > >                                                          av_buffer_allocz);
> > > its av_buffer_allocz
> > 
> > I disagree. That's from avcodec_default_get_buffer2(). What about DR1
> > decoders where the caller is using their own avctx.get_buffer2() callback?
> > Nothing in the documentation says that the buffers must be zeroed.
> > 
> > I wrote the function you just changed with the intention of finding issues a
> > library user could trigger, which included allocating buffers exactly as big
> > as needed (with no extra padding) and not zeroing it, using lavu helpers
> > like the get_buffer2() documentation states.
> > 
> > This change here makes half of that moot, and is hiding potential bugs in
> > the form of use of uninitialized memory in our decoders.
> 
> we have several sanitizers, msan is just one of them
> outside msan, using uninitialized buffers is only having one effect and that
> is it makes things less reproducable
> 
> using uninitialized buffers is a security issue. Its a secuirty issue
> because many of our decoders pass uninitialized data through on errors.
> An attacker uploads a file with error and gets a encoded file back, that
> encoded file now contains what was in the memory of these uninitialized buffers
> An attacker is not supposed to be able to read your memory like that
> 
> we have 481 DR1 decoders. For the use for uninitialized buffers to be safe
> you need to have every error path on every of these decoders to clean every bit of
> the buffer that was not initialized.
> This is not how you design secure software
> Design that needs "every" multiplied by "every" to do a specific thing is bad security
> 
> noone volunteered to make all the decoders handle uninitialized buffers
> Simply making these issues appear in ossfuzz doesnt fix them
> 
> IMHO
> If someone wants to work on uninitialized buffer support and fixes, perfectly
> fine with me. What i do not agree to is the attempt to force the already very
> busy people to work on and fix these issues when a simply "memset()" avoids
> the whole issue
> 
> Again, on one hand one memset() on the other 481 DR1 decoders that clear the right
> bits of the buffer on EVERY error path.
> 
> Thats like strlcpy() vs strcpy() with no bugs on any use. We know which of this
> is a bad idea. Why is it here something we argue about ?
> because DR1 doesnt document that the buffer contents can leak through (which
> really is what it should say not "you must clear it")
> Its good enough if the user app ensures the buffer contains no sensitive data
> 
> and no matter how hard we try to fix all decoders so they never leak something
> thorugh. we should still say the custom buffers should not contain sensitive
> data, so iam not sure but i dont think we disagree here or do we ?
> 
> thx

Also if someone wants to look at decoders passing uninitialized data thorugh
here are a few

70836
    #0 0x567ec5e29ae1 in ff_add_png_paeth_prediction /src/ffmpeg/libavcodec/pngdec.c:236:22
    #1 0x567ec5e2a96f in ff_png_filter_row /src/ffmpeg/libavcodec/pngdec.c:330:17
    #2 0x567ec5de85ca in handle_row /src/ffmpeg/libavcodec/lscrdec.c:71:5
    #3 0x567ec5de85ca in decode_idat /src/ffmpeg/libavcodec/lscrdec.c:97:17
    #4 0x567ec5de85ca in decode_frame_lscr /src/ffmpeg/libavcodec/lscrdec.c:193:19
    #5 0x567ec5dca27b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #6 0x567ec5dca27b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #7 0x567ec5dca27b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #8 0x567ec5dc97e3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #9 0x567ec5db72bc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #10 0x567ec5cb0a20 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #11 0x567ec5c9b1b4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #12 0x567ec5ca0c4a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #13 0x567ec5ccd042 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7dd57860d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #15 0x567ec5c91c8d in _start
  Uninitialized value was created by a heap allocation
    #0 0x567ec5d53603 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x567ec6564b48 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x567ec6517df2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x567ec5db9c46 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x567ec5db9c46 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x567ec5dd54b0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x567ec5dd6707 in reget_buffer_internal /src/ffmpeg/libavcodec/decode.c:1661:16
    #7 0x567ec5dd6707 in ff_reget_buffer /src/ffmpeg/libavcodec/decode.c:1686:15
    #8 0x567ec5de6cd9 in decode_frame_lscr /src/ffmpeg/libavcodec/lscrdec.c:130:11
    #9 0x567ec5dca27b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #10 0x567ec5dca27b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #11 0x567ec5dca27b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #12 0x567ec5dc97e3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #13 0x567ec5db72bc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #14 0x567ec5cb0a20 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #15 0x567ec5c9b1b4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #16 0x567ec5ca0c4a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #17 0x567ec5ccd042 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #18 0x7dd57860d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

70838 (i already fixed this one)
    #0 0x593ba893f86c in add_left_pred_c /src/ffmpeg/libavcodec/lossless_videodsp.c:80:5
    #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9
    #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #12 0x593ba83d6bcd in _start
  Uninitialized value was stored to memory at
    #0 0x593ba893f6c6 in add_left_pred_c /src/ffmpeg/libavcodec/lossless_videodsp.c:69:16
    #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9
    #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was stored to memory at
    #0 0x593ba893f70b in add_left_pred_c /src/ffmpeg/libavcodec/lossless_videodsp.c:72:16
    #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9
    #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was stored to memory at
    #0 0x593ba893f6c6 in add_left_pred_c /src/ffmpeg/libavcodec/lossless_videodsp.c:69:16
    #1 0x593ba85617ba in decode_frame /src/ffmpeg/libavcodec/mvha.c:262:9
    #2 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was created by a heap allocation
    #0 0x593ba8498543 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x593ba8c904c8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x593ba8c44ac2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x593ba84feb86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x593ba84feb86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x593ba851a3f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x593ba8560d57 in decode_frame /src/ffmpeg/libavcodec/mvha.c:170:20
    #7 0x593ba850f1bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #8 0x593ba850f1bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #9 0x593ba850f1bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #10 0x593ba850e723 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #11 0x593ba84fc1fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #12 0x593ba83f5960 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #13 0x593ba83e00f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #14 0x593ba83e5b8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #15 0x593ba8411f82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #16 0x7cbc84ec4082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

70848
    #0 0x59d52678fcd5 in av_clip_c /src/ffmpeg/libavutil/common.h:183:14
    #1 0x59d52678fcd5 in filter181 /src/ffmpeg/libavcodec/error_resilience.c:125:19
    #2 0x59d52678fcd5 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1281:5
    #3 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5
    #4 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c:1802:19
    #5 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #6 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #7 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #8 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #9 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #10 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #11 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #12 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #13 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #15 0x59d525fd947d in _start
  Uninitialized value was stored to memory at
    #0 0x59d52678dad2 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1255:59
    #1 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5
    #2 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c:1802:19
    #3 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #4 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #5 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #6 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #7 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #8 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #9 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #10 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #11 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #12 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was stored to memory at
    #0 0x59d5265f7d5d in put_pixels8_8_c /src/ffmpeg/libavcodec/pel_template.c:78:1
    #1 0x59d5265f7d5d in put_pixels16_8_c /src/ffmpeg/libavcodec/pel_template.c:78:1
    #2 0x59d5266b6455 in mpeg_motion_internal /src/ffmpeg/libavcodec/mpegvideo_motion.c:205:5
    #3 0x59d5266b6455 in mpeg_motion /src/ffmpeg/libavcodec/mpegvideo_motion.c:232:9
    #4 0x59d5266b3606 in mpv_motion_internal /src/ffmpeg/libavcodec/mpegvideo_motion.c:0
    #5 0x59d5266b3606 in ff_mpv_motion /src/ffmpeg/libavcodec/mpegvideo_motion.c:0
    #6 0x59d526697988 in mpv_reconstruct_mb_internal /src/ffmpeg/libavcodec/mpv_reconstruct_mb_template.c:147:21
    #7 0x59d526697988 in ff_mpv_reconstruct_mb /src/ffmpeg/libavcodec/mpegvideo_dec.c:930:13
    #8 0x59d5267925c1 in guess_mv /src/ffmpeg/libavcodec/error_resilience.c:456:17
    #9 0x59d52678d549 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1224:9
    #10 0x59d52670f498 in finish_frame /src/ffmpeg/libavcodec/rv34.c:1582:5
    #11 0x59d526702d83 in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c:1802:19
    #12 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #13 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #14 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #15 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #16 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #17 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #18 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #19 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #20 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #21 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was created by a heap allocation
    #0 0x59d52609adf3 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x59d526982dc8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x59d5269373c2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x59d526101436 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x59d526101436 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x59d52611cca0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x59d526175c29 in thread_get_buffer_internal /src/ffmpeg/libavcodec/pthread_frame.c:969:16
    #7 0x59d526175c29 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthread_frame.c:988:15
    #8 0x59d526690078 in alloc_picture /src/ffmpeg/libavcodec/mpegvideo_dec.c:234:15
    #9 0x59d525fcc4a2 in alloc_dummy_frame /src/ffmpeg/libavcodec/mpegvideo_dec.c:271:15
    #10 0x59d52668ed1c in ff_mpv_alloc_dummy_frames /src/ffmpeg/libavcodec/mpegvideo_dec.c:318:15
    #11 0x59d52668f9ae in ff_mpv_frame_start /src/ffmpeg/libavcodec/mpegvideo_dec.c:384:11
    #12 0x59d526702afc in ff_rv34_decode_frame /src/ffmpeg/libavcodec/rv34.c:1706:13
    #13 0x59d526111a6b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #14 0x59d526111a6b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #15 0x59d526111a6b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #16 0x59d526110fd3 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #17 0x59d5260feaac in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #18 0x59d525ff8210 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #19 0x59d525fe29a4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #20 0x59d525fe843a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #21 0x59d526014832 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #22 0x7b1cb6cc5082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #0 0x57ffd5699628 in loop_filter /src/ffmpeg/libavcodec/vp9dsp_template.c:1796:38
    #1 0x57ffd5699628 in loop_filter_v_8_8_c /src/ffmpeg/libavcodec/vp9dsp_template.c:1906:1
    #2 0x57ffd5721d2c in filter_plane_rows /src/ffmpeg/libavcodec/vp9lpf.c:0:25
    #3 0x57ffd5721d2c in ff_vp9_loopfilter_sb /src/ffmpeg/libavcodec/vp9lpf.c:201:9
    #4 0x57ffd55d64a8 in decode_tiles /src/ffmpeg/libavcodec/vp9.c:1372:21
    #5 0x57ffd55d64a8 in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1716:19
    #6 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #7 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #8 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #9 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #10 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #11 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #12 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #13 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #14 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #16 0x57ffd53f3fcd in _start
  Uninitialized value was created by a heap allocation
    #0 0x57ffd54b5943 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x57ffd5f209e8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x57ffd5ed4fe2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x57ffd551bf86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x57ffd551bf86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x57ffd55377f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x57ffd5590779 in thread_get_buffer_internal /src/ffmpeg/libavcodec/pthread_frame.c:969:16
    #7 0x57ffd5590779 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthread_frame.c:988:15
    #8 0x57ffd5538d8a in ff_progress_frame_get_buffer /src/ffmpeg/libavcodec/decode.c:1725:11
    #9 0x57ffd55d19fb in vp9_frame_alloc /src/ffmpeg/libavcodec/vp9.c:110:11
    #10 0x57ffd55d19fb in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1588:16
    #11 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #12 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #13 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #14 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #15 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #16 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #17 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #18 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #19 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #20 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

70858
    #0 0x57ffd5699628 in loop_filter /src/ffmpeg/libavcodec/vp9dsp_template.c:1796:38
    #1 0x57ffd5699628 in loop_filter_v_8_8_c /src/ffmpeg/libavcodec/vp9dsp_template.c:1906:1
    #2 0x57ffd5721d2c in filter_plane_rows /src/ffmpeg/libavcodec/vp9lpf.c:0:25
    #3 0x57ffd5721d2c in ff_vp9_loopfilter_sb /src/ffmpeg/libavcodec/vp9lpf.c:201:9
    #4 0x57ffd55d64a8 in decode_tiles /src/ffmpeg/libavcodec/vp9.c:1372:21
    #5 0x57ffd55d64a8 in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1716:19
    #6 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #7 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #8 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #9 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #10 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #11 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #12 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #13 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #14 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #16 0x57ffd53f3fcd in _start
  Uninitialized value was created by a heap allocation
    #0 0x57ffd54b5943 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x57ffd5f209e8 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x57ffd5ed4fe2 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x57ffd551bf86 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x57ffd551bf86 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x57ffd55377f0 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x57ffd5590779 in thread_get_buffer_internal /src/ffmpeg/libavcodec/pthread_frame.c:969:16
    #7 0x57ffd5590779 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthread_frame.c:988:15
    #8 0x57ffd5538d8a in ff_progress_frame_get_buffer /src/ffmpeg/libavcodec/decode.c:1725:11
    #9 0x57ffd55d19fb in vp9_frame_alloc /src/ffmpeg/libavcodec/vp9.c:110:11
    #10 0x57ffd55d19fb in vp9_decode_frame /src/ffmpeg/libavcodec/vp9.c:1588:16
    #11 0x57ffd552c5bb in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #12 0x57ffd552c5bb in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #13 0x57ffd552c5bb in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #14 0x57ffd552bb23 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #15 0x57ffd55195fc in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #16 0x57ffd5412d60 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #17 0x57ffd53fd4f4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #18 0x57ffd5402f8a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #19 0x57ffd542f382 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #20 0x7c7d13998082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16

70870
  #0 0x5c9ac4ef5b92 in av_clip_c /src/ffmpeg/libavutil/common.h:183:14
    #1 0x5c9ac4ef5b92 in filter181 /src/ffmpeg/libavcodec/error_resilience.c:109:19
    #2 0x5c9ac4ef5b92 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1281:5
    #3 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740:9
    #4 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2198:23
    #5 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec.c:2546:11
    #6 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #7 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #8 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #9 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #10 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #11 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #12 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #13 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #14 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #16 0x5c9ac4a4b83d in _start
  Uninitialized value was stored to memory at
    #0 0x5c9ac4ef39a2 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1255:59
    #1 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740:9
    #2 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2198:23
    #3 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec.c:2546:11
    #4 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #5 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #6 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #7 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #8 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #9 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #10 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #11 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #12 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #13 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was stored to memory at
    #0 0x5c9ac500cb9c in put_pixels8_8_c /src/ffmpeg/libavcodec/pel_template.c:78:1
    #1 0x5c9ac500cb9c in put_pixels16_8_c /src/ffmpeg/libavcodec/pel_template.c:78:1
    #2 0x5c9ac4c2f170 in mpeg_motion_internal /src/ffmpeg/libavcodec/mpegvideo_motion.c:205:5
    #3 0x5c9ac4c2f170 in mpeg_motion /src/ffmpeg/libavcodec/mpegvideo_motion.c:227:9
    #4 0x5c9ac4c2bc46 in mpv_motion_internal /src/ffmpeg/libavcodec/mpegvideo_motion.c:0
    #5 0x5c9ac4c2bc46 in ff_mpv_motion /src/ffmpeg/libavcodec/mpegvideo_motion.c:0
    #6 0x5c9ac4c0cc7e in mpv_reconstruct_mb_internal /src/ffmpeg/libavcodec/mpv_reconstruct_mb_template.c:147:21
    #7 0x5c9ac4c0cc7e in ff_mpv_reconstruct_mb /src/ffmpeg/libavcodec/mpegvideo_dec.c:928:13
    #8 0x5c9ac4ef8491 in guess_mv /src/ffmpeg/libavcodec/error_resilience.c:456:17
    #9 0x5c9ac4ef3419 in ff_er_frame_end /src/ffmpeg/libavcodec/error_resilience.c:1224:9
    #10 0x5c9ac4be8ebe in slice_end /src/ffmpeg/libavcodec/mpeg12dec.c:1740:9
    #11 0x5c9ac4be8ebe in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2198:23
    #12 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec.c:2546:11
    #13 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #14 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #15 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #16 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #17 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #18 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #19 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #20 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #21 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #22 0x7edc6d9b0082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
  Uninitialized value was created by a heap allocation
    #0 0x5c9ac4b0d1b3 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x5c9ac5326e38 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x5c9ac52db432 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x5c9ac4b737f6 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x5c9ac4b737f6 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x5c9ac4b8f060 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x5c9ac4c44829 in thread_get_buffer_internal /src/ffmpeg/libavcodec/pthread_frame.c:969:16
    #7 0x5c9ac4c44829 in ff_thread_get_buffer /src/ffmpeg/libavcodec/pthread_frame.c:988:15
    #8 0x5c9ac4c086b8 in alloc_picture /src/ffmpeg/libavcodec/mpegvideo_dec.c:234:15
    #9 0x5c9ac4a3604b in alloc_dummy_frame /src/ffmpeg/libavcodec/mpegvideo_dec.c:271:15
    #10 0x5c9ac4c0735c in ff_mpv_alloc_dummy_frames /src/ffmpeg/libavcodec/mpegvideo_dec.c:318:15
    #11 0x5c9ac4c07fee in ff_mpv_frame_start /src/ffmpeg/libavcodec/mpegvideo_dec.c:384:11
    #12 0x5c9ac4beb6b8 in mpeg_field_start /src/ffmpeg/libavcodec/mpeg12dec.c:1268:20
    #13 0x5c9ac4be18f2 in decode_chunks /src/ffmpeg/libavcodec/mpeg12dec.c:2446:32
    #14 0x5c9ac4bd65ce in mpeg_decode_frame /src/ffmpeg/libavcodec/mpeg12dec.c:2546:11
    #15 0x5c9ac4b83e2b in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #16 0x5c9ac4b83e2b in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #17 0x5c9ac4b83e2b in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #18 0x5c9ac4b83393 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #19 0x5c9ac4b70e6c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #20 0x5c9ac4a6a5d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #21 0x5c9ac4a54d64 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #22 0x5c9ac4a5a7fa in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #23 0x5c9ac4a86bf2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10

70928
=6524==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x5c2c3d950a9b in run_postproc /src/ffmpeg/libavcodec/dds.c:483:21
    #1 0x5c2c3d94acc0 in dds_decode /src/ffmpeg/libavcodec/dds.c:711:9
    #2 0x5c2c3d9529db in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #3 0x5c2c3d9529db in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #4 0x5c2c3d9529db in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #5 0x5c2c3d951f43 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #6 0x5c2c3d93624c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #7 0x5c2c3d82f9b0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #8 0x5c2c3d81a144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #9 0x5c2c3d81fbda in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #10 0x5c2c3d84bfd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7ce16e94d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16
    #12 0x5c2c3d810c1d in _start
  Uninitialized value was created by a heap allocation
    #0 0x5c2c3d8d2593 in ___interceptor_posix_memalign /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:162:3
    #1 0x5c2c3e0d2798 in av_malloc /src/ffmpeg/libavutil/mem.c:107:9
    #2 0x5c2c3e086d92 in av_buffer_alloc /src/ffmpeg/libavutil/buffer.c:82:12
    #3 0x5c2c3d938bd6 in fuzz_video_get_buffer /src/ffmpeg/tools/target_dec_fuzzer.c:132:25
    #4 0x5c2c3d938bd6 in fuzz_get_buffer2 /src/ffmpeg/tools/target_dec_fuzzer.c:153:18
    #5 0x5c2c3d95dc10 in ff_get_buffer /src/ffmpeg/libavcodec/decode.c:1621:11
    #6 0x5c2c3d949f58 in dds_decode /src/ffmpeg/libavcodec/dds.c:618:11
    #7 0x5c2c3d9529db in decode_simple_internal /src/ffmpeg/libavcodec/decode.c:429:20
    #8 0x5c2c3d9529db in decode_simple_receive_frame /src/ffmpeg/libavcodec/decode.c:600:15
    #9 0x5c2c3d9529db in decode_receive_frame_internal /src/ffmpeg/libavcodec/decode.c:631:15
    #10 0x5c2c3d951f43 in avcodec_send_packet /src/ffmpeg/libavcodec/decode.c:721:15
    #11 0x5c2c3d93624c in LLVMFuzzerTestOneInput /src/ffmpeg/tools/target_dec_fuzzer.c:534:25
    #12 0x5c2c3d82f9b0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #13 0x5c2c3d81a144 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #14 0x5c2c3d81fbda in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #15 0x5c2c3d84bfd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #16 0x7ce16e94d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/libc-start.c:308:16


Ohh and maybe also all these that ossfuzz stuffed into a unrelated adpcm issue they look suspicously related to the
issues above.

Use-of-uninitialized-value Mon, Aug 12, 2024, 4:22 PM 	Project ffmpeg Platform linux Reliably reproduces Security
decode_format80
vqa_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Mon, Aug 12, 2024, 7:42 AM 	Project ffmpeg Platform linux Reliably reproduces Security
imc_decode_frame
decode_receive_frame_internal
avcodec_send_packet
Issue 70618
Use-of-uninitialized-value Sun, Aug 11, 2024, 11:30 AM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
vp3_v_loop_filter_8_c
apply_loop_filter
vp3_decode_frame
Issue 70618
Use-of-uninitialized-value Sun, Aug 11, 2024, 4:31 AM 	Project ffmpeg Platform linux Reliably reproduces Security
decompress_p3
decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Sat, Aug 10, 2024, 2:00 AM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
decode_nal_units
hevc_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Fri, Aug 9, 2024, 5:19 PM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
vp3_h_loop_filter_8_c
apply_loop_filter
vp3_decode_frame
Issue 70618
Use-of-uninitialized-value Fri, Aug 9, 2024, 12:48 PM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
ff_vp3dsp_h_loop_filter_12
vp3_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Fri, Aug 9, 2024, 3:57 AM 	Project ffmpeg Platform linux Reliably reproduces Security
ff_dsd2pcm_translate
decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Thu, Aug 8, 2024, 7:35 PM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
rv30_loop_filter
ff_rv34_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Thu, Aug 8, 2024, 2:46 PM 	Project ffmpeg Platform linux Reliably reproduces Security
decode_frame
decode_receive_frame_internal
ff_decode_receive_frame
Issue 70618
Use-of-uninitialized-value Thu, Aug 8, 2024, 4:42 AM 	Project ffmpeg Platform linux Reliably reproduces Security
rv30_loop_filter
rv34_decode_slice
ff_rv34_decode_frame
Issue 71025
Use-of-uninitialized-value Thu, Aug 8, 2024, 4:13 AM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
loop_filter_h_4_8_c
ff_vp9_loopfilter_sb
vp9_decode_frame
Issue 70618
Use-of-uninitialized-value Thu, Aug 8, 2024, 3:03 AM 	Project ffmpeg Platform linux Reliably reproduces Security
decompress_p
decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Wed, Aug 7, 2024, 11:55 PM 	Project ffmpeg Platform linux Reliably reproduces Security
ff_h274_apply_film_grain
decode_nal_units
hevc_decode_frame
Issue 71021
Use-of-uninitialized-value Wed, Aug 7, 2024, 4:03 AM 	Project ffmpeg Platform linux Reliably reproduces Security
add_median_pred_c
decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Tue, Aug 6, 2024, 9:37 PM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
ff_er_frame_end
ff_h263_decode_frame
decode_receive_frame_internal
Issue 70618
Use-of-uninitialized-value Sat, Aug 3, 2024, 6:52 PM 	Project ffmpeg Platform linux Reliably reproduces Security
tgq_decode_frame
decode_receive_frame_internal
avcodec_send_packet
Issue 70618
Use-of-uninitialized-value Sat, Aug 3, 2024, 4:18 PM 	Project ffmpeg Platform linux Reliably reproduces Security
guess_mv
ff_er_frame_end
vc1_decode_frame
Issue 70926
Use-of-uninitialized-value Fri, Aug 2, 2024, 11:31 AM 	Fixed Project ffmpeg Platform linux Reliably reproduces Security
mp_decode_frame
decode_receive_frame_internal
avcodec_send_packet
Issue 70618
Use-of-uninitialized-value Fri, Aug 2, 2024, 1:19 AM 	Project ffmpeg Platform linux Reliably reproduces Security
decode_frame
decode_receive_frame_internal
avcodec_send_packet
Issue 70618
Use-of-uninitialized-value Thu, Aug 1, 2024, 2:33 PM 	Project ffmpeg Platform linux Reliably reproduces Security
loop_filter_v_8_8_c
ff_vp9_loopfilter_sb
vp9_decode_frame
Issue 70858
Use-of-uninitialized-value Thu, Aug 1, 2024, 7:57 AM 	Project ffmpeg Platform linux Reliably reproduces Security
ff_er_frame_end
finish_frame
ff_rv34_decode_frame
Issue 70848
Use-of-uninitialized-value Thu, Aug 1, 2024, 2:27 AM 	Project ffmpeg Platform linux Reliably reproduces Security
add_left_pred_c
decode_frame
decode_receive_frame_internal
Issue 70838
Use-of-uninitialized-value Wed, Jul 31, 2024, 11:08 PM 	Project ffmpeg Platform linux Reliably reproduces Security
ff_add_png_paeth_prediction
ff_png_filter_row
decode_frame_lscr
Issue 70836

thx

[...]
diff mbox series

Patch

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index d2d7e21dac7..794b5b92cc7 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -129,7 +129,7 @@  static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
 
     frame->extended_data = frame->data;
     for (i = 0; i < 4 && size[i]; i++) {
-        frame->buf[i] = av_buffer_alloc(size[i]);
+        frame->buf[i] = av_buffer_allocz(size[i]);
         if (!frame->buf[i])
             goto fail;
         frame->data[i] = frame->buf[i]->data;