Nick Galloway, a senior security engineer, discovered an integer overflow in the dav1d AV1 video decoder in 2023. This overflow leads to an out-of-bounds write to memory, potentially causing a remote code execution vulnerability. Dav1d is a highly optimized AV1 decoder with different code paths for various architectures. It is widely supported in web browsers and is a prime target for fuzzing. Galloway's discovery was made using a modified version of the dav1d fuzzer in oss-fuzz, which defines configurations for building dav1d_fuzzer and dav1d_fuzzer_mt. The fuzzer implements LLVMFuzzerTestOneInput and initializes a Dav1dSettings struct with defaults. Galloway's fuzzer found the overflow by executing as many lines of code as possible with a small set of test cases. The overflow occurs when multiple decoding threads are used and calculating the values for the tile start offset array. The overflowed values are then passed to setup_tile(), leading to out-of-bounds writes. Two test cases were provided with the bug, with one being more likely to be exploitable.