CVE-2024-1580
Challenge Information
Project: dav1d
Type: full
Harnesses: 1
Vulnerabilities: 1
AFC Challenge Performance
Number of Unique Vulnerabilities Discovered: #
Number of Teams with Scoring PoVs: 1
Number of Teams with Scoring Patches: 1
Number of Teams with Scoring Bundles: 1
Total Points Scored for this Challenge: 11.890373450142473
What design decisions were considered for this challenge?
This bug replicates the repository state immediately before the fix to a bug disclosed by Google Project Zero. The challenge tests whether competitors can independently discover the same bug.
Why this set of vulnerabilities?
This bug is a duplicate of the repository state immediately before the fix to a bug disclosed by Google Project Zero last year. The intent is to observe whether or not competitors can find the same bug now.
See https://googleprojectzero.blogspot.com/2024/10/effective-fuzzing-dav1d-case-study.html and https://project-zero.issues.chromium.org/issues/42451651
Delta vs Full and why?
This is a full scope challenge. Competitors investigate the dav1d codebase the same way Project Zero did.
Challenge Harnesses
- dav1d_fuzzer_mt@NO_OOM
Challenge Vulnerabilities
dav1d-001, CVE-2024-1580
Vulnerability Information
Author: David Wank
Harness: dav1d_fuzzer_mt@NO_OOM
CWE Classification: CWE-190
What functions and functionality is relevant?
This integer overflow comes from the setup for distribution of work when multiple decoding threads are used.
Why is this vulnerable?
See the linked article for details.
Is this a replay and/or is inspired by anything?
This bug is a duplicate of the repository state immediately before the fix to a bug disclosed by Google Project Zero last year. The intent is to observe whether or not competitors can find the same bug now.
See https://googleprojectzero.blogspot.com/2024/10/effective-fuzzing-dav1d-case-study.html and https://project-zero.issues.chromium.org/issues/42451651
What makes it interesting?
dav1d is an extremely widely used decoding library that’s in just about everything- Chrome, iOS, Android…It’s the AV1 software decoder currently, its Rust rewrite notwithstanding. A potentially exploitable memory safety bug in it is dangerous to a great many people.