Effective Fuzzing: A Dav1d Case Study

Nick Galloway (Project Zero) discovered an integer overflow in the dav1d AV1 video decoder that can produce out-of-bounds writes (CVE-2024-1580). The bug was exposed by modifying the existing oss-fuzz target to remove artificial frame-size limits and to fuzz configuration settings (including multithreading), producing proof-of-concept test cases; dav1d 1.4.0 was patched and the report recommends broader fuzzing coverage and consideration of memory-safe parsers.