/src/dav1d/tests/libfuzzer/dav1d_fuzzer.c

Source
/*
 * Copyright © 2018, VideoLAN and dav1d authors
 * Copyright © 2018, Janne Grunau
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice, this
 *    list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "config.h"

#include <errno.h>
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include <stdlib.h>

#include <dav1d/dav1d.h>
#include "src/cpu.h"
#include "dav1d_fuzzer.h"

#ifdef DAV1D_ALLOC_FAIL

#include "alloc_fail.h"

static unsigned djb_xor(const uint8_t * c, size_t len) {
    unsigned hash = 5381;
    for(size_t i = 0; i < len; i++)
        hash = hash * 33 ^ c[i];
    return hash;
}
#endif

static unsigned r32le(const uint8_t *const p) {
    return ((uint32_t)p[3] << 24U) | (p[2] << 16U) | (p[1] << 8U) | p[0];
}

#define DAV1D_FUZZ_MAX_SIZE 4096 * 4096

// search for "--cpumask xxx" in argv and remove both parameters
int LLVMFuzzerInitialize(int *argc, char ***argv) {
    int i = 1;
    for (; i < *argc; i++) {
        if (!strcmp((*argv)[i], "--cpumask")) {
            const char * cpumask = (*argv)[i+1];
            if (cpumask) {
                char *end;
                unsigned res;
                if (!strncmp(cpumask, "0x", 2)) {
                    cpumask += 2;
                    res = (unsigned) strtoul(cpumask, &end, 16);
                } else {
                    res = (unsigned) strtoul(cpumask, &end, 0);
                }
                if (end != cpumask && !end[0]) {
                    dav1d_set_cpu_flags_mask(res);
                }
            }
            break;
        }
    }

    for (; i < *argc - 2; i++) {
        (*argv)[i] = (*argv)[i + 2];
    }

    *argc = i;

    return 0;
}


// expects ivf input

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    Dav1dSettings settings = { 0 };
    Dav1dContext * ctx = NULL;
    Dav1dPicture pic;
    const uint8_t *ptr = data;
    int have_seq_hdr = 0;
    int err;

    dav1d_version();

    if (size < 32) goto end;
#ifdef DAV1D_ALLOC_FAIL
    unsigned h = djb_xor(ptr, 32);
    unsigned seed = h;
    unsigned probability = h > (RAND_MAX >> 5) ? RAND_MAX >> 5 : h;
    int max_frame_delay = (h & 0xf) + 1;
    int n_threads = ((h >> 4) & 0x7) + 1;
    if (max_frame_delay > 5) max_frame_delay = 1;
    if (n_threads > 3) n_threads = 1;
#endif
    ptr += 32; // skip ivf header

    dav1d_default_settings(&settings);

#ifdef DAV1D_MT_FUZZING
    settings.max_frame_delay = settings.n_threads = 4;
#elif defined(DAV1D_ALLOC_FAIL)
    settings.max_frame_delay = max_frame_delay;
    settings.n_threads = n_threads;
    dav1d_setup_alloc_fail(seed, probability);
#else
    settings.max_frame_delay = settings.n_threads = 1;
#endif
#if defined(DAV1D_FUZZ_MAX_SIZE)
    settings.frame_size_limit = DAV1D_FUZZ_MAX_SIZE;
#endif

    err = dav1d_open(&ctx, &settings);
    if (err < 0) goto end;

    while (ptr <= data + size - 12) {
        Dav1dData buf;
        uint8_t *p;

        size_t frame_size = r32le(ptr);
        ptr += 12;

        if (frame_size > size || ptr > data + size - frame_size)
            break;

        if (!frame_size) continue;

        if (!have_seq_hdr) {
            Dav1dSequenceHeader seq;
            int err = dav1d_parse_sequence_header(&seq, ptr, frame_size);
            // skip frames until we see a sequence header
            if  (err != 0) {
                ptr += frame_size;
                continue;
            }
            have_seq_hdr = 1;
        }

        // copy frame data to a new buffer to catch reads past the end of input
        p = dav1d_data_create(&buf, frame_size);
        if (!p) goto cleanup;
        memcpy(p, ptr, frame_size);
        ptr += frame_size;

        do {
            if ((err = dav1d_send_data(ctx, &buf)) < 0) {
                if (err != DAV1D_ERR(EAGAIN))
                    break;
            }
            memset(&pic, 0, sizeof(pic));
            err = dav1d_get_picture(ctx, &pic);
            if (err == 0) {
                dav1d_picture_unref(&pic);
            } else if (err != DAV1D_ERR(EAGAIN)) {
                break;
            }
        } while (buf.sz > 0);

        if (buf.sz > 0)
            dav1d_data_unref(&buf);
    }

    memset(&pic, 0, sizeof(pic));
    if ((err = dav1d_get_picture(ctx, &pic)) == 0) {
        /* Test calling dav1d_picture_unref() after dav1d_close() */
        do {
            Dav1dPicture pic2 = { 0 };
            if ((err = dav1d_get_picture(ctx, &pic2)) == 0)
                dav1d_picture_unref(&pic2);
        } while (err != DAV1D_ERR(EAGAIN));

        dav1d_close(&ctx);
        dav1d_picture_unref(&pic);
        return 0;
    }

cleanup:
    dav1d_close(&ctx);
end:
    return 0;
}

Line	Count	Source
1		/*
2		* Copyright © 2018, VideoLAN and dav1d authors
3		* Copyright © 2018, Janne Grunau
4		* All rights reserved.
5		*
6		* Redistribution and use in source and binary forms, with or without
7		* modification, are permitted provided that the following conditions are met:
8		*
9		* 1. Redistributions of source code must retain the above copyright notice, this
10		* list of conditions and the following disclaimer.
11		*
12		* 2. Redistributions in binary form must reproduce the above copyright notice,
13		* this list of conditions and the following disclaimer in the documentation
14		* and/or other materials provided with the distribution.
15		*
16		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
17		* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18		* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
19		* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
20		* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
21		* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
22		* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
23		* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24		* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
25		* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26		*/
27
28		#include "config.h"
29
30		#include <errno.h>
31		#include <stddef.h>
32		#include <stdint.h>
33		#include <string.h>
34		#include <stdlib.h>
35
36		#include <dav1d/dav1d.h>
37		#include "src/cpu.h"
38		#include "dav1d_fuzzer.h"
39
40		#ifdef DAV1D_ALLOC_FAIL
41
42		#include "alloc_fail.h"
43
44		static unsigned djb_xor(const uint8_t * c, size_t len) {
45		unsigned hash = 5381;
46		for(size_t i = 0; i < len; i++)
47		hash = hash * 33 ^ c[i];
48		return hash;
49		}
50		#endif
51
52	531k	static unsigned r32le(const uint8_t *const p) {
53	531k	return ((uint32_t)p[3] << 24U) \| (p[2] << 16U) \| (p[1] << 8U) \| p[0];
54	531k	}
55
56	19.6k	#define DAV1D_FUZZ_MAX_SIZE 4096 * 4096
57
58		// search for "--cpumask xxx" in argv and remove both parameters
59	4	int LLVMFuzzerInitialize(int argc, char **argv) {
60	4	int i = 1;
61	22	for (; i < *argc; i++) {
62	18	if (!strcmp((*argv)[i], "--cpumask")) {
63	0	const char * cpumask = (*argv)[i+1];
64	0	if (cpumask) {
65	0	char *end;
66	0	unsigned res;
67	0	if (!strncmp(cpumask, "0x", 2)) {
68	0	cpumask += 2;
69	0	res = (unsigned) strtoul(cpumask, &end, 16);
70	0	} else {
71	0	res = (unsigned) strtoul(cpumask, &end, 0);
72	0	}
73	0	if (end != cpumask && !end[0]) {
74	0	dav1d_set_cpu_flags_mask(res);
75	0	}
76	0	}
77	0	break;
78	0	}
79	18	}
80
81	4	for (; i < *argc - 2; i++) {
82	0	(argv)[i] = (argv)[i + 2];
83	0	}
84
85	4	*argc = i;
86
87	4	return 0;
88	4	}
89
90
91		// expects ivf input
92
93		int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
94	19.6k	{
95	19.6k	Dav1dSettings settings = { 0 };
96	19.6k	Dav1dContext * ctx = NULL;
97	19.6k	Dav1dPicture pic;
98	19.6k	const uint8_t *ptr = data;
99	19.6k	int have_seq_hdr = 0;
100	19.6k	int err;
101
102	19.6k	dav1d_version();
103
104	19.6k	if (size < 32) goto end;
105		#ifdef DAV1D_ALLOC_FAIL
106		unsigned h = djb_xor(ptr, 32);
107		unsigned seed = h;
108		unsigned probability = h > (RAND_MAX >> 5) ? RAND_MAX >> 5 : h;
109		int max_frame_delay = (h & 0xf) + 1;
110		int n_threads = ((h >> 4) & 0x7) + 1;
111		if (max_frame_delay > 5) max_frame_delay = 1;
112		if (n_threads > 3) n_threads = 1;
113		#endif
114	19.6k	ptr += 32; // skip ivf header
115
116	19.6k	dav1d_default_settings(&settings);
117
118	19.6k	#ifdef DAV1D_MT_FUZZING
119	19.6k	settings.max_frame_delay = settings.n_threads = 4;
120		#elif defined(DAV1D_ALLOC_FAIL)
121		settings.max_frame_delay = max_frame_delay;
122		settings.n_threads = n_threads;
123		dav1d_setup_alloc_fail(seed, probability);
124		#else
125		settings.max_frame_delay = settings.n_threads = 1;
126		#endif
127	19.6k	#if defined(DAV1D_FUZZ_MAX_SIZE)
128	19.6k	settings.frame_size_limit = DAV1D_FUZZ_MAX_SIZE;
129	19.6k	#endif
130
131	19.6k	err = dav1d_open(&ctx, &settings);
132	19.6k	if (err < 0) goto end;
133
134	547k	while (ptr <= data + size - 12) {
135	531k	Dav1dData buf;
136	531k	uint8_t *p;
137
138	531k	size_t frame_size = r32le(ptr);
139	531k	ptr += 12;
140
141	531k	if (frame_size > size \|\| ptr > data + size - frame_size)
142	3.14k	break;
143
144	528k	if (!frame_size) continue;
145
146	508k	if (!have_seq_hdr) {
147	25.7k	Dav1dSequenceHeader seq;
148	25.7k	int err = dav1d_parse_sequence_header(&seq, ptr, frame_size);
149		// skip frames until we see a sequence header
150	25.7k	if (err != 0) {
151	6.75k	ptr += frame_size;
152	6.75k	continue;
153	6.75k	}
154	19.0k	have_seq_hdr = 1;
155	19.0k	}
156
157		// copy frame data to a new buffer to catch reads past the end of input
158	501k	p = dav1d_data_create(&buf, frame_size);
159	501k	if (!p) goto cleanup;
160	501k	memcpy(p, ptr, frame_size);
161	501k	ptr += frame_size;
162
163	524k	do {
164	524k	if ((err = dav1d_send_data(ctx, &buf)) < 0) {
165	119k	if (err != DAV1D_ERR(EAGAIN))
166	95.1k	break;
167	119k	}
168	429k	memset(&pic, 0, sizeof(pic));
169	429k	err = dav1d_get_picture(ctx, &pic);
170	429k	if (err == 0) {
171	202k	dav1d_picture_unref(&pic);
172	226k	} else if (err != DAV1D_ERR(EAGAIN)) {
173	174k	break;
174	174k	}
175	429k	} while (buf.sz > 0);
176
177	501k	if (buf.sz > 0)
178	96.7k	dav1d_data_unref(&buf);
179	501k	}
180
181	19.6k	memset(&pic, 0, sizeof(pic));
182	19.6k	if ((err = dav1d_get_picture(ctx, &pic)) == 0) {
183		/* Test calling dav1d_picture_unref() after dav1d_close() */
184	15.8k	do {
185	15.8k	Dav1dPicture pic2 = { 0 };
186	15.8k	if ((err = dav1d_get_picture(ctx, &pic2)) == 0)
187	7.91k	dav1d_picture_unref(&pic2);
188	15.8k	} while (err != DAV1D_ERR(EAGAIN));
189
190	5.33k	dav1d_close(&ctx);
191	5.33k	dav1d_picture_unref(&pic);
192	5.33k	return 0;
193	5.33k	}
194
195	14.3k	cleanup:
196	14.3k	dav1d_close(&ctx);
197	14.3k	end:
198	14.3k	return 0;
199	14.3k	}

Coverage Report

Created: 2025-11-09 06:09