/src/ffmpeg/tools/target_dec_fuzzer.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * This file is part of FFmpeg. |
3 | | * |
4 | | * FFmpeg is free software; you can redistribute it and/or |
5 | | * modify it under the terms of the GNU Lesser General Public |
6 | | * License as published by the Free Software Foundation; either |
7 | | * version 2.1 of the License, or (at your option) any later version. |
8 | | * |
9 | | * FFmpeg is distributed in the hope that it will be useful, |
10 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
11 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
12 | | * Lesser General Public License for more details. |
13 | | * |
14 | | * You should have received a copy of the GNU Lesser General Public |
15 | | * License along with FFmpeg; if not, write to the Free Software |
16 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
17 | | */ |
18 | | |
19 | | /* Targeted fuzzer that targets specific codecs depending on two |
20 | | compile-time flags. |
21 | | INSTRUCTIONS: |
22 | | |
23 | | * Get the very fresh clang, e.g. see http://libfuzzer.info#versions |
24 | | * Get and build libFuzzer: |
25 | | svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer |
26 | | ./Fuzzer/build.sh |
27 | | * build ffmpeg for fuzzing: |
28 | | FLAGS="-fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp -g" CC="clang $FLAGS" CXX="clang++ $FLAGS" ./configure --disable-x86asm |
29 | | make clean && make -j |
30 | | * build the fuzz target. |
31 | | Choose the value of FFMPEG_CODEC (e.g. AV_CODEC_ID_DVD_SUBTITLE) and |
32 | | choose one of FUZZ_FFMPEG_VIDEO, FUZZ_FFMPEG_AUDIO, FUZZ_FFMPEG_SUBTITLE. |
33 | | clang -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp tools/target_dec_fuzzer.c -o target_dec_fuzzer -I. -DFFMPEG_CODEC=AV_CODEC_ID_MPEG1VIDEO -DFUZZ_FFMPEG_VIDEO ../../libfuzzer/libFuzzer.a -Llibavcodec -Llibavdevice -Llibavfilter -Llibavformat -Llibavutil -Llibpostproc -Llibswscale -Llibswresample -Wl,--as-needed -Wl,-z,noexecstack -Wl,--warn-common -Wl,-rpath-link=:libpostproc:libswresample:libswscale:libavfilter:libavdevice:libavformat:libavcodec:libavutil -lavdevice -lavfilter -lavformat -lavcodec -lswresample -lswscale -lavutil -ldl -lxcb -lxcb-shm -lxcb -lxcb-xfixes -lxcb -lxcb-shape -lxcb -lX11 -lasound -lm -lbz2 -lz -pthread |
34 | | * create a corpus directory and put some samples there (empty dir is ok too): |
35 | | mkdir CORPUS && cp some-files CORPUS |
36 | | |
37 | | * Run fuzzing: |
38 | | ./target_dec_fuzzer -max_len=100000 CORPUS |
39 | | |
40 | | More info: |
41 | | http://libfuzzer.info |
42 | | http://tutorial.libfuzzer.info |
43 | | https://github.com/google/oss-fuzz |
44 | | http://lcamtuf.coredump.cx/afl/ |
45 | | https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html |
46 | | */ |
47 | | |
48 | | #include "config.h" |
49 | | #include "libavutil/avassert.h" |
50 | | #include "libavutil/avstring.h" |
51 | | #include "libavutil/cpu.h" |
52 | | #include "libavutil/imgutils.h" |
53 | | #include "libavutil/intreadwrite.h" |
54 | | #include "libavutil/mem.h" |
55 | | |
56 | | #include "libavcodec/avcodec.h" |
57 | | #include "libavcodec/bytestream.h" |
58 | | #include "libavcodec/codec_internal.h" |
59 | | #include "libavformat/avformat.h" |
60 | | |
61 | | //For FF_SANE_NB_CHANNELS, so we dont waste energy testing things that will get instantly rejected |
62 | | #include "libavcodec/internal.h" |
63 | | |
64 | | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); |
65 | | |
66 | | extern const FFCodec * codec_list[]; |
67 | | |
68 | | static void error(const char *err) |
69 | 0 | { |
70 | 0 | fprintf(stderr, "%s", err); |
71 | 0 | exit(1); |
72 | 0 | } |
73 | | |
74 | | static const FFCodec *c = NULL; |
75 | | static const FFCodec *AVCodecInitialize(enum AVCodecID codec_id) |
76 | 0 | { |
77 | 0 | const AVCodec *res; |
78 | 0 |
|
79 | 0 | res = avcodec_find_decoder(codec_id); |
80 | 0 | if (!res) |
81 | 0 | error("Failed to find decoder"); |
82 | 0 | return ffcodec(res); |
83 | 0 | } |
84 | | |
85 | | static int subtitle_handler(AVCodecContext *avctx, AVFrame *unused, |
86 | | int *got_sub_ptr, const AVPacket *avpkt) |
87 | 2.18M | { |
88 | 2.18M | AVSubtitle sub; |
89 | 2.18M | int ret = avcodec_decode_subtitle2(avctx, &sub, got_sub_ptr, avpkt); |
90 | 2.18M | if (ret >= 0 && *got_sub_ptr) |
91 | 1.03M | avsubtitle_free(&sub); |
92 | 2.18M | return ret; |
93 | 2.18M | } |
94 | | |
95 | | static int audio_video_handler(AVCodecContext *avctx, AVFrame *frame, |
96 | | int *got_frame, const AVPacket *dummy) |
97 | 49.5M | { |
98 | 49.5M | int ret = avcodec_receive_frame(avctx, frame); |
99 | 49.5M | *got_frame = ret >= 0; |
100 | 49.5M | return ret; |
101 | 49.5M | } |
102 | | |
103 | | // Ensure we don't loop forever |
104 | | const uint32_t maxiteration = 8096; |
105 | | |
106 | | static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL; |
107 | | |
108 | | static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame) |
109 | 21.4M | { |
110 | 21.4M | ptrdiff_t linesize1[4]; |
111 | 21.4M | size_t size[4]; |
112 | 21.4M | int linesize_align[AV_NUM_DATA_POINTERS]; |
113 | 21.4M | int i, ret, w = frame->width, h = frame->height; |
114 | | |
115 | 21.4M | avcodec_align_dimensions2(ctx, &w, &h, linesize_align); |
116 | 21.4M | ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w); |
117 | 21.4M | if (ret < 0) |
118 | 0 | return ret; |
119 | | |
120 | 60.5M | for (i = 0; i < 4 && frame->linesize[i]; i++) |
121 | 39.0M | linesize1[i] = frame->linesize[i] = |
122 | 39.0M | FFALIGN(frame->linesize[i], linesize_align[i]); |
123 | 68.2M | for (; i < 4; i++) |
124 | 46.8M | linesize1[i] = 0; |
125 | | |
126 | 21.4M | ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1); |
127 | 21.4M | if (ret < 0) |
128 | 0 | return ret; |
129 | | |
130 | 21.4M | frame->extended_data = frame->data; |
131 | 67.1M | for (i = 0; i < 4 && size[i]; i++) { |
132 | 45.6M | switch(ctx->codec_id) { |
133 | 0 | case AV_CODEC_ID_FFV1: |
134 | 0 | frame->buf[i] = av_buffer_alloc(size[i]); |
135 | 0 | break; |
136 | 45.6M | default: |
137 | 45.6M | frame->buf[i] = av_buffer_allocz(size[i]); |
138 | 45.6M | } |
139 | | |
140 | 45.6M | if (!frame->buf[i]) |
141 | 0 | goto fail; |
142 | 45.6M | frame->data[i] = frame->buf[i]->data; |
143 | 45.6M | } |
144 | 147M | for (; i < AV_NUM_DATA_POINTERS; i++) { |
145 | 126M | frame->data[i] = NULL; |
146 | 126M | frame->linesize[i] = 0; |
147 | 126M | } |
148 | | |
149 | 21.4M | return 0; |
150 | 0 | fail: |
151 | 0 | av_frame_unref(frame); |
152 | 0 | return AVERROR(ENOMEM); |
153 | 21.4M | } |
154 | | |
155 | | static int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags) |
156 | 77.1M | { |
157 | 77.1M | switch (ctx->codec_type) { |
158 | 21.4M | case AVMEDIA_TYPE_VIDEO: |
159 | 21.4M | return (ctx->codec->capabilities & AV_CODEC_CAP_DR1) |
160 | 21.4M | ? fuzz_video_get_buffer(ctx, frame) |
161 | 21.4M | : avcodec_default_get_buffer2(ctx, frame, flags); |
162 | 55.6M | case AVMEDIA_TYPE_AUDIO: |
163 | 55.6M | return avcodec_default_get_buffer2(ctx, frame, flags); |
164 | 0 | default: |
165 | 0 | return AVERROR(EINVAL); |
166 | 77.1M | } |
167 | 77.1M | } |
168 | | |
169 | 580k | int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
170 | 580k | uint64_t maxpixels_per_frame = 4096 * 4096; |
171 | 580k | uint64_t maxpixels; |
172 | | |
173 | 580k | uint64_t maxsamples_per_frame = 256*1024*32; |
174 | 580k | uint64_t maxsamples; |
175 | 580k | const uint64_t fuzz_tag = FUZZ_TAG; |
176 | 580k | const uint8_t *last = data; |
177 | 580k | const uint8_t *end = data + size; |
178 | 580k | uint32_t it = 0; |
179 | 580k | uint64_t ec_pixels = 0; |
180 | 580k | uint64_t nb_samples = 0; |
181 | 580k | int (*decode_handler)(AVCodecContext *avctx, AVFrame *picture, |
182 | 580k | int *got_picture_ptr, |
183 | 580k | const AVPacket *avpkt) = NULL; |
184 | 580k | AVCodecParserContext *parser = NULL; |
185 | 580k | uint64_t keyframes = 0; |
186 | 580k | uint64_t flushpattern = -1; |
187 | 580k | AVDictionary *opts = NULL; |
188 | | |
189 | 580k | if (!c) { |
190 | 331 | #ifdef FFMPEG_DECODER |
191 | 993 | #define DECODER_SYMBOL0(CODEC) ff_##CODEC##_decoder |
192 | 993 | #define DECODER_SYMBOL(CODEC) DECODER_SYMBOL0(CODEC) |
193 | 331 | extern FFCodec DECODER_SYMBOL(FFMPEG_DECODER); |
194 | 331 | codec_list[0] = &DECODER_SYMBOL(FFMPEG_DECODER); |
195 | | |
196 | 331 | #if FFMPEG_DECODER == tiff || FFMPEG_DECODER == tdsc |
197 | 331 | extern FFCodec DECODER_SYMBOL(mjpeg); |
198 | 331 | codec_list[1] = &DECODER_SYMBOL(mjpeg); |
199 | 331 | #endif |
200 | | |
201 | 331 | c = &DECODER_SYMBOL(FFMPEG_DECODER); |
202 | | #else |
203 | | c = AVCodecInitialize(FFMPEG_CODEC); // Done once. |
204 | | #endif |
205 | 331 | av_log_set_level(AV_LOG_PANIC); |
206 | 331 | } |
207 | | |
208 | 580k | switch (c->p.type) { |
209 | 166k | case AVMEDIA_TYPE_AUDIO : |
210 | 564k | case AVMEDIA_TYPE_VIDEO : decode_handler = audio_video_handler ; break; |
211 | 16.0k | case AVMEDIA_TYPE_SUBTITLE: decode_handler = subtitle_handler ; break; |
212 | 580k | } |
213 | 580k | switch (c->p.id) { |
214 | 1.50k | case AV_CODEC_ID_APE: maxsamples_per_frame /= 256; break; |
215 | 580k | } |
216 | 580k | maxpixels = maxpixels_per_frame * maxiteration; |
217 | 580k | maxsamples = maxsamples_per_frame * maxiteration; |
218 | 580k | switch (c->p.id) { |
219 | 729 | case AV_CODEC_ID_AASC: maxpixels /= 1024; break; |
220 | 2.12k | case AV_CODEC_ID_AGM: maxpixels /= 1024; break; |
221 | 598 | case AV_CODEC_ID_ANM: maxpixels /= 1024; break; |
222 | 1.50k | case AV_CODEC_ID_APE: maxsamples /= 16384; break; |
223 | 903 | case AV_CODEC_ID_ARBC: maxpixels /= 1024; break; |
224 | 1.29k | case AV_CODEC_ID_ARGO: maxpixels /= 1024; break; |
225 | 765 | case AV_CODEC_ID_BETHSOFTVID: maxpixels /= 8192; break; |
226 | 1.79k | case AV_CODEC_ID_BINKVIDEO: maxpixels /= 32; break; |
227 | 297 | case AV_CODEC_ID_BONK: maxsamples /= 1<<20; break; |
228 | 1.15k | case AV_CODEC_ID_CDTOONS: maxpixels /= 1024; break; |
229 | 0 | case AV_CODEC_ID_CFHD: maxpixels /= 16384; break; |
230 | 0 | case AV_CODEC_ID_CINEPAK: maxpixels /= 128; break; |
231 | 1.20k | case AV_CODEC_ID_COOK: maxsamples /= 1<<20; break; |
232 | 1.44k | case AV_CODEC_ID_CSCD: maxpixels /= 1024; break; |
233 | 1.18k | case AV_CODEC_ID_DFA: maxpixels /= 1024; break; |
234 | 8.40k | case AV_CODEC_ID_DIRAC: maxpixels /= 8192; break; |
235 | 1.18k | case AV_CODEC_ID_DSICINVIDEO: maxpixels /= 1024; break; |
236 | 921 | case AV_CODEC_ID_DST: maxsamples /= 1<<20; break; |
237 | 0 | case AV_CODEC_ID_DVB_SUBTITLE: av_dict_set_int(&opts, "compute_clut", -2, 0); break; |
238 | 1.51k | case AV_CODEC_ID_DXA: maxpixels /= 32; break; |
239 | 0 | case AV_CODEC_ID_DXV: maxpixels /= 32; break; |
240 | 0 | case AV_CODEC_ID_EXR: maxpixels /= 1024; break; |
241 | 0 | case AV_CODEC_ID_FFV1: maxpixels /= 32; break; |
242 | 1.14k | case AV_CODEC_ID_FFWAVESYNTH: maxsamples /= 16384; break; |
243 | 0 | case AV_CODEC_ID_FLAC: maxsamples /= 1024; break; |
244 | 2.72k | case AV_CODEC_ID_FLIC: maxpixels /= 1024; break; |
245 | 0 | case AV_CODEC_ID_FLV1: maxpixels /= 1024; break; |
246 | 1.48k | case AV_CODEC_ID_FMVC: maxpixels /= 1024; break; |
247 | 3.77k | case AV_CODEC_ID_G2M: maxpixels /= 1024; break; |
248 | 1.69k | case AV_CODEC_ID_GEM: maxpixels /= 512; break; |
249 | 1.14k | case AV_CODEC_ID_GDV: maxpixels /= 512; break; |
250 | 0 | case AV_CODEC_ID_GIF: maxpixels /= 16; break; |
251 | 10.0k | case AV_CODEC_ID_H264: maxpixels /= 256; break; |
252 | 972 | case AV_CODEC_ID_HAP: maxpixels /= 128; break; |
253 | 12.8k | case AV_CODEC_ID_HEVC: maxpixels /= 16384; break; |
254 | 1.01k | case AV_CODEC_ID_HNM4_VIDEO: maxpixels /= 128; break; |
255 | 2.05k | case AV_CODEC_ID_HQ_HQA: maxpixels /= 128; break; |
256 | 3.96k | case AV_CODEC_ID_IFF_ILBM: maxpixels /= 4096; break; |
257 | 6.15k | case AV_CODEC_ID_INDEO4: maxpixels /= 128; break; |
258 | 1.15k | case AV_CODEC_ID_INTERPLAY_ACM: maxsamples /= 16384; break; |
259 | 0 | case AV_CODEC_ID_JPEG2000: maxpixels /= 16384; break; |
260 | 1.11k | case AV_CODEC_ID_LAGARITH: maxpixels /= 1024; break; |
261 | 1.09k | case AV_CODEC_ID_LOCO: maxpixels /= 1024; break; |
262 | 0 | case AV_CODEC_ID_VORBIS: maxsamples /= 1024; break; |
263 | 1.76k | case AV_CODEC_ID_LSCR: maxpixels /= 16; break; |
264 | 645 | case AV_CODEC_ID_MMVIDEO: maxpixels /= 256; break; |
265 | 910 | case AV_CODEC_ID_MOTIONPIXELS:maxpixels /= 256; break; |
266 | 2.23k | case AV_CODEC_ID_MP4ALS: maxsamples /= 65536; break; |
267 | 1.33k | case AV_CODEC_ID_MSA1: maxpixels /= 16384; break; |
268 | 0 | case AV_CODEC_ID_MSRLE: maxpixels /= 16; break; |
269 | 2.62k | case AV_CODEC_ID_MSS2: maxpixels /= 16384; break; |
270 | 926 | case AV_CODEC_ID_MSZH: maxpixels /= 128; break; |
271 | 1.29k | case AV_CODEC_ID_MTS2: maxpixels /= 4096; break; |
272 | 1.06k | case AV_CODEC_ID_MV30: maxpixels /= 128; break; |
273 | 647 | case AV_CODEC_ID_MVC2: maxpixels /= 128; break; |
274 | 2.13k | case AV_CODEC_ID_MVHA: maxpixels /= 16384; break; |
275 | 867 | case AV_CODEC_ID_MVDV: maxpixels /= 1024; break; |
276 | 1.75k | case AV_CODEC_ID_MWSC: maxpixels /= 256; break; |
277 | 5.42k | case AV_CODEC_ID_MXPEG: maxpixels /= 128; break; |
278 | 1.60k | case AV_CODEC_ID_NUV: maxpixels /= 128; break; |
279 | 0 | case AV_CODEC_ID_OPUS: maxsamples /= 16384; break; |
280 | 0 | case AV_CODEC_ID_PNG: maxpixels /= 128; break; |
281 | 0 | case AV_CODEC_ID_APNG: maxpixels /= 128; break; |
282 | 0 | case AV_CODEC_ID_QTRLE: maxpixels /= 16; break; |
283 | 825 | case AV_CODEC_ID_PAF_VIDEO: maxpixels /= 16; break; |
284 | 0 | case AV_CODEC_ID_PRORES: maxpixels /= 256; break; |
285 | 1.10k | case AV_CODEC_ID_QPEG: maxpixels /= 256; break; |
286 | 518 | case AV_CODEC_ID_RKA: maxsamples /= 1<<20; break; |
287 | 1.22k | case AV_CODEC_ID_RSCC: maxpixels /= 256; break; |
288 | 4.44k | case AV_CODEC_ID_RASC: maxpixels /= 16; break; |
289 | 1.16k | case AV_CODEC_ID_RTV1: maxpixels /= 16; break; |
290 | 1.99k | case AV_CODEC_ID_RV30: maxpixels /= 256; break; |
291 | 2.36k | case AV_CODEC_ID_SANM: maxpixels /= 16; break; |
292 | 2.13k | case AV_CODEC_ID_SCPR: maxpixels /= 32; break; |
293 | 1.26k | case AV_CODEC_ID_SCREENPRESSO:maxpixels /= 64; break; |
294 | 845 | case AV_CODEC_ID_SIMBIOSIS_IMX:maxpixels /= 16384; break; |
295 | 1.59k | case AV_CODEC_ID_SPEEX: maxsamples /= 128; break; |
296 | 717 | case AV_CODEC_ID_SMACKAUDIO: maxsamples /= 4096; break; |
297 | 1.43k | case AV_CODEC_ID_SMACKVIDEO: maxpixels /= 64; break; |
298 | 0 | case AV_CODEC_ID_SNOW: maxpixels /= 128; break; |
299 | 0 | case AV_CODEC_ID_TARGA: maxpixels /= 128; break; |
300 | 1.48k | case AV_CODEC_ID_TAK: maxsamples /= 1024; break; |
301 | 1.91k | case AV_CODEC_ID_TGV: maxpixels /= 32; break; |
302 | 3.18k | case AV_CODEC_ID_THEORA: maxpixels /= 16384; break; |
303 | 1.09k | case AV_CODEC_ID_TQI: maxpixels /= 1024; break; |
304 | 1.50k | case AV_CODEC_ID_TRUEMOTION2: maxpixels /= 1024; break; |
305 | 1.21k | case AV_CODEC_ID_TSCC: maxpixels /= 1024; break; |
306 | 0 | case AV_CODEC_ID_UTVIDEO: maxpixels /= 1024; break; |
307 | 851 | case AV_CODEC_ID_VB: maxpixels /= 1024; break; |
308 | 10.8k | case AV_CODEC_ID_VC1: maxpixels /= 8192; break; |
309 | 8.25k | case AV_CODEC_ID_VC1IMAGE: maxpixels /= 8192; break; |
310 | 1.26k | case AV_CODEC_ID_VMNC: maxpixels /= 8192; break; |
311 | 1.01k | case AV_CODEC_ID_VMDVIDEO: maxpixels /= 1024; break; |
312 | 1.41k | case AV_CODEC_ID_VMIX: maxpixels /= 8192; break; |
313 | 2.10k | case AV_CODEC_ID_VP3: maxpixels /= 4096; break; |
314 | 2.04k | case AV_CODEC_ID_VP4: maxpixels /= 4096; break; |
315 | 3.27k | case AV_CODEC_ID_VP5: maxpixels /= 256; break; |
316 | 3.65k | case AV_CODEC_ID_VP6F: maxpixels /= 4096; break; |
317 | 3.82k | case AV_CODEC_ID_VP6A: maxpixels /= 4096; break; |
318 | 6.71k | case AV_CODEC_ID_VP7: maxpixels /= 256; break; |
319 | 10.2k | case AV_CODEC_ID_VP9: maxpixels /= 4096; break; |
320 | 0 | case AV_CODEC_ID_WAVPACK: maxsamples /= 1024; break; |
321 | 1.39k | case AV_CODEC_ID_WCMV: maxpixels /= 1024; break; |
322 | 2.64k | case AV_CODEC_ID_WMV3IMAGE: maxpixels /= 8192; break; |
323 | 0 | case AV_CODEC_ID_WMV2: maxpixels /= 1024; break; |
324 | 6.28k | case AV_CODEC_ID_WMV3: maxpixels /= 1024; break; |
325 | 1.33k | case AV_CODEC_ID_WS_VQA: maxpixels /= 16384; break; |
326 | 1.47k | case AV_CODEC_ID_WMALOSSLESS: maxsamples /= 1024; break; |
327 | 1.51k | case AV_CODEC_ID_WMAPRO: maxsamples /= 16384; break; |
328 | 1.50k | case AV_CODEC_ID_YLC: maxpixels /= 1024; break; |
329 | 1.48k | case AV_CODEC_ID_ZEROCODEC: maxpixels /= 128; break; |
330 | 0 | case AV_CODEC_ID_ZLIB: maxpixels /= 4096; break; |
331 | 580k | } |
332 | | |
333 | 580k | maxsamples_per_frame = FFMIN(maxsamples_per_frame, maxsamples); |
334 | 580k | maxpixels_per_frame = FFMIN(maxpixels_per_frame , maxpixels); |
335 | | |
336 | 580k | AVCodecContext* ctx = avcodec_alloc_context3(&c->p); |
337 | 580k | AVCodecContext* parser_avctx = avcodec_alloc_context3(NULL); |
338 | 580k | if (!ctx || !parser_avctx) |
339 | 0 | error("Failed memory allocation"); |
340 | | |
341 | 580k | if (ctx->max_pixels == 0 || ctx->max_pixels > maxpixels_per_frame) |
342 | 576k | ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs |
343 | | |
344 | 580k | ctx->max_samples = maxsamples_per_frame; |
345 | 580k | ctx->get_buffer2 = fuzz_get_buffer2; |
346 | 580k | if (c->p.capabilities & AV_CODEC_CAP_EXPERIMENTAL) |
347 | 10.1k | ctx->strict_std_compliance = FF_COMPLIANCE_EXPERIMENTAL; |
348 | | |
349 | 580k | if (size > 1024) { |
350 | 361k | GetByteContext gbc; |
351 | 361k | int extradata_size; |
352 | 361k | int flags; |
353 | 361k | uint64_t request_channel_layout; |
354 | 361k | int64_t flags64; |
355 | | |
356 | 361k | size -= 1024; |
357 | 361k | bytestream2_init(&gbc, data + size, 1024); |
358 | 361k | ctx->width = bytestream2_get_le32(&gbc); |
359 | 361k | ctx->height = bytestream2_get_le32(&gbc); |
360 | 361k | ctx->bit_rate = bytestream2_get_le64(&gbc); |
361 | 361k | ctx->bits_per_coded_sample = bytestream2_get_le32(&gbc); |
362 | | // Try to initialize a parser for this codec, note, this may fail which just means we test without one |
363 | 361k | flags = bytestream2_get_byte(&gbc); |
364 | 361k | if (flags & 1) |
365 | 139k | parser = av_parser_init(c->p.id); |
366 | 361k | if (flags & 2) |
367 | 124k | ctx->strict_std_compliance = FF_COMPLIANCE_EXPERIMENTAL; |
368 | 361k | if (flags & 4) { |
369 | 121k | ctx->err_recognition = AV_EF_AGGRESSIVE | AV_EF_COMPLIANT | AV_EF_CAREFUL; |
370 | 121k | if (flags & 8) |
371 | 69.4k | ctx->err_recognition |= AV_EF_EXPLODE; |
372 | 121k | } |
373 | 361k | if ((flags & 0x10) && c->p.id != AV_CODEC_ID_H264) |
374 | 112k | ctx->flags2 |= AV_CODEC_FLAG2_FAST; |
375 | 361k | if (flags & 0x80) |
376 | 66.7k | ctx->export_side_data |= AV_CODEC_EXPORT_DATA_MVS; |
377 | | |
378 | 361k | if (flags & 0x40) |
379 | 132k | av_force_cpu_flags(0); |
380 | | |
381 | 361k | extradata_size = bytestream2_get_le32(&gbc); |
382 | | |
383 | 361k | ctx->sample_rate = bytestream2_get_le32(&gbc) & 0x7FFFFFFF; |
384 | 361k | ctx->ch_layout.nb_channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS; |
385 | 361k | ctx->block_align = bytestream2_get_le32(&gbc) & 0x7FFFFFFF; |
386 | 361k | ctx->codec_tag = bytestream2_get_le32(&gbc); |
387 | 361k | if (c->codec_tags) { |
388 | 953 | int n; |
389 | 5.71k | for (n = 0; c->codec_tags[n] != FF_CODEC_TAGS_END; n++); |
390 | 953 | ctx->codec_tag = c->codec_tags[ctx->codec_tag % n]; |
391 | 953 | } |
392 | 361k | keyframes = bytestream2_get_le64(&gbc); |
393 | 361k | request_channel_layout = bytestream2_get_le64(&gbc); |
394 | | |
395 | 361k | ctx->idct_algo = bytestream2_get_byte(&gbc) % 25; |
396 | 361k | flushpattern = bytestream2_get_le64(&gbc); |
397 | 361k | ctx->skip_frame = bytestream2_get_byte(&gbc) - 254 + AVDISCARD_ALL; |
398 | | |
399 | | |
400 | 361k | if (flags & 0x20) { |
401 | 110k | switch (ctx->codec_id) { |
402 | 0 | case AV_CODEC_ID_AC3: |
403 | 0 | case AV_CODEC_ID_EAC3: |
404 | 0 | av_dict_set_int(&opts, "cons_noisegen", bytestream2_get_byte(&gbc) & 1, 0); |
405 | 0 | av_dict_set_int(&opts, "heavy_compr", bytestream2_get_byte(&gbc) & 1, 0); |
406 | 0 | av_dict_set_int(&opts, "target_level", (int)(bytestream2_get_byte(&gbc) % 32) - 31, 0); |
407 | 0 | av_dict_set_int(&opts, "dmix_mode", (int)(bytestream2_get_byte(&gbc) % 4) - 1, 0); |
408 | 0 | break; |
409 | 110k | } |
410 | 110k | } |
411 | | |
412 | | // Keep the deprecated request_channel_layout behavior to ensure old fuzzing failures |
413 | | // remain reproducible. |
414 | 361k | if (request_channel_layout) { |
415 | 331k | switch (ctx->codec_id) { |
416 | 0 | case AV_CODEC_ID_AC3: |
417 | 0 | case AV_CODEC_ID_EAC3: |
418 | 0 | case AV_CODEC_ID_MLP: |
419 | 0 | case AV_CODEC_ID_TRUEHD: |
420 | 0 | case AV_CODEC_ID_DTS: |
421 | 0 | if (request_channel_layout & ~INT64_MIN) { |
422 | 0 | char *downmix_layout = av_mallocz(19); |
423 | 0 | if (!downmix_layout) |
424 | 0 | error("Failed memory allocation"); |
425 | 0 | av_strlcatf(downmix_layout, 19, "0x%"PRIx64, request_channel_layout & ~INT64_MIN); |
426 | 0 | av_dict_set(&opts, "downmix", downmix_layout, AV_DICT_DONT_STRDUP_VAL); |
427 | 0 | } |
428 | 0 | if (ctx->codec_id != AV_CODEC_ID_DTS) |
429 | 0 | break; |
430 | | // fall-through |
431 | 823 | case AV_CODEC_ID_DOLBY_E: |
432 | 823 | av_dict_set_int(&opts, "channel_order", !!(request_channel_layout & INT64_MIN), 0); |
433 | 823 | break; |
434 | 331k | } |
435 | 331k | } |
436 | | |
437 | 361k | flags64 = bytestream2_get_le64(&gbc); |
438 | 361k | if (flags64 &1) |
439 | 139k | ctx->debug |= FF_DEBUG_SKIP; |
440 | 361k | if (flags64 &2) |
441 | 140k | ctx->debug |= FF_DEBUG_QP; |
442 | 361k | if (flags64 &4) |
443 | 146k | ctx->debug |= FF_DEBUG_MB_TYPE; |
444 | 361k | if (flags64 & 8) |
445 | 124k | ctx->export_side_data |= AV_CODEC_EXPORT_DATA_VIDEO_ENC_PARAMS; |
446 | 361k | if (flags64 & 0x10) |
447 | 131k | ctx->err_recognition |= AV_EF_CRCCHECK; |
448 | | |
449 | 361k | ctx->workaround_bugs = bytestream2_get_le32(&gbc); |
450 | | |
451 | 361k | if (c->p.max_lowres) { |
452 | 11.7k | ctx->lowres = bytestream2_get_byte(&gbc) % (c->p.max_lowres+1); |
453 | 11.7k | } |
454 | | |
455 | 361k | if (extradata_size < size) { |
456 | 150k | ctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); |
457 | 150k | if (ctx->extradata) { |
458 | 150k | ctx->extradata_size = extradata_size; |
459 | 150k | size -= ctx->extradata_size; |
460 | 150k | memcpy(ctx->extradata, data + size, ctx->extradata_size); |
461 | 150k | } |
462 | 150k | } |
463 | 361k | if (av_image_check_size(ctx->width, ctx->height, 0, ctx)) |
464 | 209k | ctx->width = ctx->height = 0; |
465 | 361k | } |
466 | | |
467 | 580k | int res = avcodec_open2(ctx, &c->p, &opts); |
468 | 580k | if (res < 0) { |
469 | 56.6k | avcodec_free_context(&ctx); |
470 | 56.6k | av_free(parser_avctx); |
471 | 56.6k | av_parser_close(parser); |
472 | 56.6k | av_dict_free(&opts); |
473 | 56.6k | return 0; // Failure of avcodec_open2() does not imply that a issue was found |
474 | 56.6k | } |
475 | 523k | parser_avctx->codec_id = ctx->codec_id; |
476 | 523k | parser_avctx->extradata_size = ctx->extradata_size; |
477 | 523k | parser_avctx->extradata = ctx->extradata ? av_memdup(ctx->extradata, ctx->extradata_size + AV_INPUT_BUFFER_PADDING_SIZE) : NULL; |
478 | | |
479 | | |
480 | 523k | int got_frame; |
481 | 523k | AVFrame *frame = av_frame_alloc(); |
482 | 523k | AVPacket *avpkt = av_packet_alloc(); |
483 | 523k | AVPacket *parsepkt = av_packet_alloc(); |
484 | 523k | if (!frame || !avpkt || !parsepkt) |
485 | 0 | error("Failed memory allocation"); |
486 | | |
487 | | // Read very simple container |
488 | 95.6M | while (data < end && it < maxiteration) { |
489 | | // Search for the TAG |
490 | 12.0G | while (data + sizeof(fuzz_tag) < end) { |
491 | 12.0G | if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag) |
492 | 94.6M | break; |
493 | 11.9G | data++; |
494 | 11.9G | } |
495 | 95.1M | if (data + sizeof(fuzz_tag) > end) |
496 | 65.9k | data = end; |
497 | | |
498 | 95.1M | res = av_new_packet(parsepkt, data - last); |
499 | 95.1M | if (res < 0) |
500 | 0 | error("Failed memory allocation"); |
501 | 95.1M | memcpy(parsepkt->data, last, data - last); |
502 | 95.1M | parsepkt->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY; |
503 | 95.1M | keyframes = (keyframes >> 2) + (keyframes<<62); |
504 | 95.1M | data += sizeof(fuzz_tag); |
505 | 95.1M | last = data; |
506 | | |
507 | 213M | while (parsepkt->size > 0) { |
508 | 118M | int decode_more; |
509 | | |
510 | 118M | if (parser) { |
511 | 28.4M | int ret = av_parser_parse2(parser, parser_avctx, &avpkt->data, &avpkt->size, |
512 | 28.4M | parsepkt->data, parsepkt->size, |
513 | 28.4M | parsepkt->pts, parsepkt->dts, parsepkt->pos); |
514 | 28.4M | if (avpkt->data == parsepkt->data) { |
515 | 24.1M | avpkt->buf = av_buffer_ref(parsepkt->buf); |
516 | 24.1M | if (!avpkt->buf) |
517 | 0 | error("Failed memory allocation"); |
518 | 24.1M | } else { |
519 | 4.33M | if (av_packet_make_refcounted(avpkt) < 0) |
520 | 0 | error("Failed memory allocation"); |
521 | 4.33M | } |
522 | 28.4M | parsepkt->data += ret; |
523 | 28.4M | parsepkt->size -= ret; |
524 | 28.4M | parsepkt->pos += ret; |
525 | 28.4M | avpkt->pts = parser->pts; |
526 | 28.4M | avpkt->dts = parser->dts; |
527 | 28.4M | avpkt->pos = parser->pos; |
528 | 28.4M | if ( parser->key_frame == 1 || |
529 | 28.4M | (parser->key_frame == -1 && parser->pict_type == AV_PICTURE_TYPE_I)) |
530 | 24.5M | avpkt->flags |= AV_PKT_FLAG_KEY; |
531 | 28.4M | avpkt->flags |= parsepkt->flags & AV_PKT_FLAG_DISCARD; |
532 | 90.3M | } else { |
533 | 90.3M | av_packet_move_ref(avpkt, parsepkt); |
534 | 90.3M | } |
535 | | |
536 | 118M | if (!(flushpattern & 7)) |
537 | 39.2M | avcodec_flush_buffers(ctx); |
538 | 118M | flushpattern = (flushpattern >> 3) + (flushpattern << 61); |
539 | | |
540 | 118M | if (ctx->codec_type != AVMEDIA_TYPE_SUBTITLE) { |
541 | 116M | int ret = avcodec_send_packet(ctx, avpkt); |
542 | 116M | decode_more = ret >= 0; |
543 | 116M | if(!decode_more) { |
544 | 60.8M | ec_pixels += (ctx->width + 32LL) * (ctx->height + 32LL); |
545 | 60.8M | if (it > 20 || ec_pixels > 4 * ctx->max_pixels) { |
546 | 47.0M | ctx->error_concealment = 0; |
547 | 47.0M | ctx->debug &= ~(FF_DEBUG_SKIP | FF_DEBUG_QP | FF_DEBUG_MB_TYPE); |
548 | 47.0M | } |
549 | 60.8M | if (ec_pixels > maxpixels) |
550 | 8.87k | goto maximums_reached; |
551 | 60.8M | } |
552 | 116M | } else |
553 | 2.16M | decode_more = 1; |
554 | | |
555 | | // Iterate through all data |
556 | 120M | while (decode_more && it++ < maxiteration) { |
557 | 47.9M | av_frame_unref(frame); |
558 | 47.9M | int ret = decode_handler(ctx, frame, &got_frame, avpkt); |
559 | | |
560 | 47.9M | ec_pixels += (ctx->width + 32LL) * (ctx->height + 32LL); |
561 | 47.9M | if (it > 20 || ec_pixels > 4 * ctx->max_pixels) { |
562 | 46.1M | ctx->error_concealment = 0; |
563 | 46.1M | ctx->debug &= ~(FF_DEBUG_SKIP | FF_DEBUG_QP | FF_DEBUG_MB_TYPE); |
564 | 46.1M | } |
565 | 47.9M | if (ec_pixels > maxpixels) |
566 | 6.90k | goto maximums_reached; |
567 | | |
568 | 47.9M | if (ctx->codec_type == AVMEDIA_TYPE_AUDIO && |
569 | 47.9M | frame->nb_samples == 0 && !got_frame && |
570 | 47.9M | (avpkt->flags & AV_PKT_FLAG_DISCARD)) |
571 | 10.7M | nb_samples += ctx->max_samples; |
572 | | |
573 | 47.9M | nb_samples += frame->nb_samples; |
574 | 47.9M | if (nb_samples > maxsamples) |
575 | 893 | goto maximums_reached; |
576 | | |
577 | 47.9M | if (ret <= 0 || ret > avpkt->size) |
578 | 46.3M | break; |
579 | | |
580 | 1.56M | if (ctx->codec_type == AVMEDIA_TYPE_SUBTITLE) { |
581 | 1.56M | avpkt->data += ret; |
582 | 1.56M | avpkt->size -= ret; |
583 | 1.56M | decode_more = avpkt->size > 0; |
584 | 1.56M | } else |
585 | 0 | decode_more = ret >= 0; |
586 | 1.56M | } |
587 | 118M | av_packet_unref(avpkt); |
588 | 118M | } |
589 | 95.1M | av_packet_unref(parsepkt); |
590 | 95.1M | } |
591 | 523k | maximums_reached: |
592 | | |
593 | 523k | av_packet_unref(avpkt); |
594 | | |
595 | 523k | if (ctx->codec_type != AVMEDIA_TYPE_SUBTITLE) |
596 | 509k | avcodec_send_packet(ctx, NULL); |
597 | | |
598 | 3.76M | do { |
599 | 3.76M | got_frame = 0; |
600 | 3.76M | av_frame_unref(frame); |
601 | 3.76M | decode_handler(ctx, frame, &got_frame, avpkt); |
602 | | |
603 | 3.76M | nb_samples += frame->nb_samples; |
604 | 3.76M | if (nb_samples > maxsamples) |
605 | 1.01k | break; |
606 | 3.76M | } while (got_frame == 1 && it++ < maxiteration); |
607 | | |
608 | 0 | fprintf(stderr, "pixels decoded: %"PRId64", samples decoded: %"PRId64", iterations: %d\n", ec_pixels, nb_samples, it); |
609 | | |
610 | 523k | av_frame_free(&frame); |
611 | 523k | avcodec_free_context(&ctx); |
612 | 523k | avcodec_free_context(&parser_avctx); |
613 | 523k | av_parser_close(parser); |
614 | 523k | av_packet_free(&avpkt); |
615 | 523k | av_packet_free(&parsepkt); |
616 | 523k | av_dict_free(&opts); |
617 | 523k | return 0; |
618 | 523k | } |