/src/libhevc/fuzzer/hevc_dec_fuzzer.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /****************************************************************************** |
2 | | * |
3 | | * Copyright (C) 2019 The Android Open Source Project |
4 | | * |
5 | | * Licensed under the Apache License, Version 2.0 (the "License"); |
6 | | * you may not use this file except in compliance with the License. |
7 | | * You may obtain a copy of the License at: |
8 | | * |
9 | | * http://www.apache.org/licenses/LICENSE-2.0 |
10 | | * |
11 | | * Unless required by applicable law or agreed to in writing, software |
12 | | * distributed under the License is distributed on an "AS IS" BASIS, |
13 | | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14 | | * See the License for the specific language governing permissions and |
15 | | * limitations under the License. |
16 | | * |
17 | | ***************************************************************************** |
18 | | * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore |
19 | | */ |
20 | | |
21 | | #include <stddef.h> |
22 | | #include <stdint.h> |
23 | | #include <stdio.h> |
24 | | #include <stdlib.h> |
25 | | #include <string.h> |
26 | | |
27 | | #include <algorithm> |
28 | | #include <memory> |
29 | | |
30 | | #include "ihevc_typedefs.h" |
31 | | #include "ihevcd_cxa.h" |
32 | | #include "iv.h" |
33 | | #include "ivd.h" |
34 | | |
35 | | #define NELEMENTS(x) (sizeof(x) / sizeof(x[0])) |
36 | 48.6k | #define ivd_api_function ihevcd_cxa_api_function |
37 | | const IV_COLOR_FORMAT_T supportedColorFormats[] = { |
38 | | IV_YUV_420P, IV_YUV_420SP_UV, IV_YUV_420SP_VU, |
39 | | IV_YUV_422ILE, IV_RGB_565, IV_RGBA_8888}; |
40 | | |
41 | | /* Decoder ignores invalid arch, i.e. for arm build, if SSSE3 is requested, |
42 | | * decoder defaults to a supported configuration. So same set of supported |
43 | | * architectures can be used in arm/arm64/x86 builds */ |
44 | | const IVD_ARCH_T supportedArchitectures[] = { |
45 | | ARCH_ARM_NONEON, ARCH_ARM_A9Q, ARCH_ARM_NEONINTR, ARCH_ARMV8_GENERIC, |
46 | | ARCH_X86_GENERIC, ARCH_X86_SSSE3, ARCH_X86_SSE42}; |
47 | | |
48 | | enum { |
49 | | OFFSET_COLOR_FORMAT = 6, |
50 | | OFFSET_NUM_CORES, |
51 | | OFFSET_ARCH, |
52 | | /* Should be the last entry */ |
53 | | OFFSET_MAX, |
54 | | }; |
55 | | |
56 | | const static int kMaxNumDecodeCalls = 100; |
57 | | const static int kSupportedColorFormats = NELEMENTS(supportedColorFormats); |
58 | | const static int kSupportedArchitectures = NELEMENTS(supportedArchitectures); |
59 | | const static int kMaxCores = 4; |
60 | 51.3k | void *iv_aligned_malloc(void *ctxt, WORD32 alignment, WORD32 size) { |
61 | 51.3k | void *buf = NULL; |
62 | 51.3k | (void)ctxt; |
63 | 51.3k | if (0 != posix_memalign(&buf, alignment, size)) { |
64 | 0 | return NULL; |
65 | 0 | } |
66 | 51.3k | return buf; |
67 | 51.3k | } |
68 | | |
69 | 48.1k | void iv_aligned_free(void *ctxt, void *buf) { |
70 | 48.1k | (void)ctxt; |
71 | 48.1k | free(buf); |
72 | 48.1k | } |
73 | | |
74 | | class Codec { |
75 | | public: |
76 | | Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores); |
77 | | ~Codec(); |
78 | | |
79 | | void createCodec(); |
80 | | void deleteCodec(); |
81 | | void resetCodec(); |
82 | | void setCores(); |
83 | | void allocFrame(); |
84 | | void freeFrame(); |
85 | | void decodeHeader(const uint8_t *data, size_t size); |
86 | | IV_API_CALL_STATUS_T decodeFrame(const uint8_t *data, size_t size, |
87 | | size_t *bytesConsumed); |
88 | | void setParams(IVD_VIDEO_DECODE_MODE_T mode); |
89 | | void setArchitecture(IVD_ARCH_T arch); |
90 | | |
91 | | private: |
92 | | IV_COLOR_FORMAT_T mColorFormat; |
93 | | size_t mNumCores; |
94 | | iv_obj_t *mCodec; |
95 | | ivd_out_bufdesc_t mOutBufHandle; |
96 | | uint32_t mWidth; |
97 | | uint32_t mHeight; |
98 | | }; |
99 | | |
100 | 555 | Codec::Codec(IV_COLOR_FORMAT_T colorFormat, size_t numCores) { |
101 | 555 | mColorFormat = colorFormat; |
102 | 555 | mNumCores = numCores; |
103 | 555 | mCodec = nullptr; |
104 | 555 | mWidth = 0; |
105 | 555 | mHeight = 0; |
106 | | |
107 | 555 | memset(&mOutBufHandle, 0, sizeof(mOutBufHandle)); |
108 | 555 | } |
109 | | |
110 | 9.51k | Codec::~Codec() {} |
111 | | |
112 | 555 | void Codec::createCodec() { |
113 | 555 | IV_API_CALL_STATUS_T ret; |
114 | 555 | ihevcd_cxa_create_ip_t create_ip{}; |
115 | 555 | ihevcd_cxa_create_op_t create_op{}; |
116 | 555 | void *fxns = (void *)&ivd_api_function; |
117 | | |
118 | 555 | create_ip.s_ivd_create_ip_t.e_cmd = IVD_CMD_CREATE; |
119 | 555 | create_ip.s_ivd_create_ip_t.u4_share_disp_buf = 0; |
120 | 555 | create_ip.s_ivd_create_ip_t.e_output_format = mColorFormat; |
121 | 555 | create_ip.u4_keep_threads_active = 1; |
122 | 555 | create_ip.s_ivd_create_ip_t.pf_aligned_alloc = iv_aligned_malloc; |
123 | 555 | create_ip.s_ivd_create_ip_t.pf_aligned_free = iv_aligned_free; |
124 | 555 | create_ip.s_ivd_create_ip_t.pv_mem_ctxt = NULL; |
125 | 555 | create_ip.s_ivd_create_ip_t.u4_size = sizeof(ihevcd_cxa_create_ip_t); |
126 | 555 | create_op.s_ivd_create_op_t.u4_size = sizeof(ihevcd_cxa_create_op_t); |
127 | | |
128 | 555 | ret = ivd_api_function(NULL, (void *)&create_ip, (void *)&create_op); |
129 | 555 | if (ret != IV_SUCCESS) { |
130 | 3 | return; |
131 | 3 | } |
132 | 552 | mCodec = (iv_obj_t *)create_op.s_ivd_create_op_t.pv_handle; |
133 | 552 | mCodec->pv_fxns = fxns; |
134 | 552 | mCodec->u4_size = sizeof(iv_obj_t); |
135 | 552 | } |
136 | | |
137 | 555 | void Codec::deleteCodec() { |
138 | 555 | ivd_delete_ip_t delete_ip{}; |
139 | 555 | ivd_delete_op_t delete_op{}; |
140 | | |
141 | 555 | delete_ip.e_cmd = IVD_CMD_DELETE; |
142 | 555 | delete_ip.u4_size = sizeof(ivd_delete_ip_t); |
143 | 555 | delete_op.u4_size = sizeof(ivd_delete_op_t); |
144 | | |
145 | 555 | ivd_api_function(mCodec, (void *)&delete_ip, (void *)&delete_op); |
146 | 555 | } |
147 | | |
148 | 1.64k | void Codec::resetCodec() { |
149 | 1.64k | ivd_ctl_reset_ip_t s_ctl_ip{}; |
150 | 1.64k | ivd_ctl_reset_op_t s_ctl_op{}; |
151 | | |
152 | 1.64k | s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; |
153 | 1.64k | s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_RESET; |
154 | 1.64k | s_ctl_ip.u4_size = sizeof(ivd_ctl_reset_ip_t); |
155 | 1.64k | s_ctl_op.u4_size = sizeof(ivd_ctl_reset_op_t); |
156 | | |
157 | 1.64k | ivd_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); |
158 | 1.64k | } |
159 | | |
160 | 555 | void Codec::setCores() { |
161 | 555 | ihevcd_cxa_ctl_set_num_cores_ip_t s_ctl_ip{}; |
162 | 555 | ihevcd_cxa_ctl_set_num_cores_op_t s_ctl_op{}; |
163 | | |
164 | 555 | s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; |
165 | 555 | s_ctl_ip.e_sub_cmd = |
166 | 555 | (IVD_CONTROL_API_COMMAND_TYPE_T)IHEVCD_CXA_CMD_CTL_SET_NUM_CORES; |
167 | 555 | s_ctl_ip.u4_num_cores = mNumCores; |
168 | 555 | s_ctl_ip.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_ip_t); |
169 | 555 | s_ctl_op.u4_size = sizeof(ihevcd_cxa_ctl_set_num_cores_op_t); |
170 | | |
171 | 555 | ivd_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); |
172 | 555 | } |
173 | | |
174 | 1.11k | void Codec::setParams(IVD_VIDEO_DECODE_MODE_T mode) { |
175 | 1.11k | ivd_ctl_set_config_ip_t s_ctl_ip{}; |
176 | 1.11k | ivd_ctl_set_config_op_t s_ctl_op{}; |
177 | | |
178 | 1.11k | s_ctl_ip.u4_disp_wd = 0; |
179 | 1.11k | s_ctl_ip.e_frm_skip_mode = IVD_SKIP_NONE; |
180 | 1.11k | s_ctl_ip.e_frm_out_mode = IVD_DISPLAY_FRAME_OUT; |
181 | 1.11k | s_ctl_ip.e_vid_dec_mode = mode; |
182 | 1.11k | s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; |
183 | 1.11k | s_ctl_ip.e_sub_cmd = IVD_CMD_CTL_SETPARAMS; |
184 | 1.11k | s_ctl_ip.u4_size = sizeof(ivd_ctl_set_config_ip_t); |
185 | 1.11k | s_ctl_op.u4_size = sizeof(ivd_ctl_set_config_op_t); |
186 | | |
187 | 1.11k | ivd_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); |
188 | 1.11k | } |
189 | | |
190 | 555 | void Codec::setArchitecture(IVD_ARCH_T arch) { |
191 | 555 | ihevcd_cxa_ctl_set_processor_ip_t s_ctl_ip{}; |
192 | 555 | ihevcd_cxa_ctl_set_processor_op_t s_ctl_op{}; |
193 | | |
194 | 555 | s_ctl_ip.e_cmd = IVD_CMD_VIDEO_CTL; |
195 | 555 | s_ctl_ip.e_sub_cmd = |
196 | 555 | (IVD_CONTROL_API_COMMAND_TYPE_T)IHEVCD_CXA_CMD_CTL_SET_PROCESSOR; |
197 | 555 | s_ctl_ip.u4_arch = arch; |
198 | 555 | s_ctl_ip.u4_soc = SOC_GENERIC; |
199 | 555 | s_ctl_ip.u4_size = sizeof(ihevcd_cxa_ctl_set_processor_ip_t); |
200 | 555 | s_ctl_op.u4_size = sizeof(ihevcd_cxa_ctl_set_processor_op_t); |
201 | | |
202 | 555 | ivd_api_function(mCodec, (void *)&s_ctl_ip, (void *)&s_ctl_op); |
203 | 555 | } |
204 | 2.20k | void Codec::freeFrame() { |
205 | 5.39k | for (int i = 0; i < mOutBufHandle.u4_num_bufs; i++) { |
206 | 3.18k | if (mOutBufHandle.pu1_bufs[i]) { |
207 | 3.18k | free(mOutBufHandle.pu1_bufs[i]); |
208 | 3.18k | mOutBufHandle.pu1_bufs[i] = nullptr; |
209 | 3.18k | } |
210 | 3.18k | } |
211 | 2.20k | } |
212 | | |
213 | 1.65k | void Codec::allocFrame() { |
214 | 1.65k | size_t sizes[4] = {0}; |
215 | 1.65k | size_t num_bufs = 0; |
216 | | |
217 | 1.65k | freeFrame(); |
218 | | |
219 | 1.65k | memset(&mOutBufHandle, 0, sizeof(mOutBufHandle)); |
220 | | |
221 | 1.65k | switch (mColorFormat) { |
222 | 226 | case IV_YUV_420SP_UV: |
223 | 226 | [[fallthrough]]; |
224 | 501 | case IV_YUV_420SP_VU: |
225 | 501 | sizes[0] = mWidth * mHeight; |
226 | 501 | sizes[1] = mWidth * mHeight >> 1; |
227 | 501 | num_bufs = 2; |
228 | 501 | break; |
229 | 163 | case IV_YUV_422ILE: |
230 | 163 | sizes[0] = mWidth * mHeight * 2; |
231 | 163 | num_bufs = 1; |
232 | 163 | break; |
233 | 469 | case IV_RGB_565: |
234 | 469 | sizes[0] = mWidth * mHeight * 2; |
235 | 469 | num_bufs = 1; |
236 | 469 | break; |
237 | 3 | case IV_RGBA_8888: |
238 | 3 | sizes[0] = mWidth * mHeight * 4; |
239 | 3 | num_bufs = 1; |
240 | 3 | break; |
241 | 516 | case IV_YUV_420P: |
242 | 516 | [[fallthrough]]; |
243 | 516 | default: |
244 | 516 | sizes[0] = mWidth * mHeight; |
245 | 516 | sizes[1] = mWidth * mHeight >> 2; |
246 | 516 | sizes[2] = mWidth * mHeight >> 2; |
247 | 516 | num_bufs = 3; |
248 | 516 | break; |
249 | 1.65k | } |
250 | 1.65k | mOutBufHandle.u4_num_bufs = num_bufs; |
251 | 4.83k | for (int i = 0; i < num_bufs; i++) { |
252 | 3.18k | mOutBufHandle.u4_min_out_buf_size[i] = sizes[i]; |
253 | 3.18k | mOutBufHandle.pu1_bufs[i] = (UWORD8 *)iv_aligned_malloc(NULL, 16, sizes[i]); |
254 | 3.18k | } |
255 | 1.65k | } |
256 | | |
257 | 555 | void Codec::decodeHeader(const uint8_t *data, size_t size) { |
258 | 555 | setParams(IVD_DECODE_HEADER); |
259 | | |
260 | 555 | size_t numDecodeCalls = 0; |
261 | | |
262 | 14.3k | while (size > 0 && numDecodeCalls < kMaxNumDecodeCalls) { |
263 | 14.3k | IV_API_CALL_STATUS_T ret; |
264 | 14.3k | ivd_video_decode_ip_t dec_ip{}; |
265 | 14.3k | ivd_video_decode_op_t dec_op{}; |
266 | 14.3k | size_t bytes_consumed; |
267 | | |
268 | 14.3k | memset(&dec_ip, 0, sizeof(dec_ip)); |
269 | 14.3k | memset(&dec_op, 0, sizeof(dec_op)); |
270 | | |
271 | 14.3k | dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE; |
272 | 14.3k | dec_ip.u4_ts = 0; |
273 | 14.3k | dec_ip.pv_stream_buffer = (void *)data; |
274 | 14.3k | dec_ip.u4_num_Bytes = size; |
275 | 14.3k | dec_ip.u4_size = sizeof(ivd_video_decode_ip_t); |
276 | 14.3k | dec_op.u4_size = sizeof(ivd_video_decode_op_t); |
277 | | |
278 | 14.3k | ret = ivd_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op); |
279 | | |
280 | 14.3k | bytes_consumed = dec_op.u4_num_bytes_consumed; |
281 | | /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds |
282 | | * to feed next data */ |
283 | 14.3k | if (!bytes_consumed) bytes_consumed = 4; |
284 | | |
285 | 14.3k | bytes_consumed = std::min(size, bytes_consumed); |
286 | | |
287 | 14.3k | data += bytes_consumed; |
288 | 14.3k | size -= bytes_consumed; |
289 | 14.3k | numDecodeCalls++; |
290 | | |
291 | 14.3k | mWidth = std::min(dec_op.u4_pic_wd, (UWORD32)10240); |
292 | 14.3k | mHeight = std::min(dec_op.u4_pic_ht, (UWORD32)10240); |
293 | | |
294 | | /* Break after successful header decode */ |
295 | 14.3k | if (mWidth && mHeight) { |
296 | 481 | break; |
297 | 481 | } |
298 | 14.3k | } |
299 | | /* if width / height are invalid, set them to defaults */ |
300 | 555 | if (!mWidth) mWidth = 1920; |
301 | 555 | if (!mHeight) mHeight = 1088; |
302 | 555 | } |
303 | | |
304 | | IV_API_CALL_STATUS_T Codec::decodeFrame(const uint8_t *data, size_t size, |
305 | 27.1k | size_t *bytesConsumed) { |
306 | 27.1k | IV_API_CALL_STATUS_T ret; |
307 | 27.1k | ivd_video_decode_ip_t dec_ip{}; |
308 | 27.1k | ivd_video_decode_op_t dec_op{}; |
309 | | |
310 | 27.1k | memset(&dec_ip, 0, sizeof(dec_ip)); |
311 | 27.1k | memset(&dec_op, 0, sizeof(dec_op)); |
312 | | |
313 | 27.1k | dec_ip.e_cmd = IVD_CMD_VIDEO_DECODE; |
314 | 27.1k | dec_ip.u4_ts = 0; |
315 | 27.1k | dec_ip.pv_stream_buffer = (void *)data; |
316 | 27.1k | dec_ip.u4_num_Bytes = size; |
317 | 27.1k | dec_ip.u4_size = sizeof(ivd_video_decode_ip_t); |
318 | 27.1k | dec_ip.s_out_buffer = mOutBufHandle; |
319 | | |
320 | 27.1k | dec_op.u4_size = sizeof(ivd_video_decode_op_t); |
321 | | |
322 | 27.1k | ret = ivd_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op); |
323 | | |
324 | | /* In case of change in resolution, reset codec and feed the same data again |
325 | | */ |
326 | 27.1k | if (IVD_RES_CHANGED == (dec_op.u4_error_code & 0xFF)) { |
327 | 1.64k | resetCodec(); |
328 | 1.64k | ret = ivd_api_function(mCodec, (void *)&dec_ip, (void *)&dec_op); |
329 | 1.64k | } |
330 | 27.1k | *bytesConsumed = dec_op.u4_num_bytes_consumed; |
331 | | |
332 | | /* If no bytes are consumed, then consume 4 bytes to ensure fuzzer proceeds |
333 | | * to feed next data */ |
334 | 27.1k | if (!*bytesConsumed) *bytesConsumed = 4; |
335 | | |
336 | 27.1k | if (dec_op.u4_pic_wd && dec_op.u4_pic_ht && |
337 | 27.1k | (mWidth != dec_op.u4_pic_wd || mHeight != dec_op.u4_pic_ht)) { |
338 | 1.09k | mWidth = std::min(dec_op.u4_pic_wd, (UWORD32)10240); |
339 | 1.09k | mHeight = std::min(dec_op.u4_pic_ht, (UWORD32)10240); |
340 | 1.09k | allocFrame(); |
341 | 1.09k | } |
342 | | |
343 | 27.1k | return ret; |
344 | 27.1k | } |
345 | | |
346 | 555 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
347 | 555 | if (size < 1) { |
348 | 0 | return 0; |
349 | 0 | } |
350 | 555 | size_t colorFormatOfst = std::min((size_t)OFFSET_COLOR_FORMAT, size - 1); |
351 | 555 | size_t numCoresOfst = std::min((size_t)OFFSET_NUM_CORES, size - 1); |
352 | 555 | size_t architectureOfst = std::min((size_t)OFFSET_ARCH, size - 1); |
353 | 555 | size_t architectureIdx = data[architectureOfst] % kSupportedArchitectures; |
354 | 555 | IVD_ARCH_T arch = (IVD_ARCH_T)supportedArchitectures[architectureIdx]; |
355 | 555 | size_t colorFormatIdx = data[colorFormatOfst] % kSupportedColorFormats; |
356 | 555 | IV_COLOR_FORMAT_T colorFormat = |
357 | 555 | (IV_COLOR_FORMAT_T)(supportedColorFormats[colorFormatIdx]); |
358 | 555 | uint32_t numCores = (data[numCoresOfst] % kMaxCores) + 1; |
359 | 555 | size_t numDecodeCalls = 0; |
360 | 555 | Codec *codec = new Codec(colorFormat, numCores); |
361 | 555 | codec->createCodec(); |
362 | 555 | codec->setArchitecture(arch); |
363 | 555 | codec->setCores(); |
364 | 555 | codec->decodeHeader(data, size); |
365 | 555 | codec->setParams(IVD_DECODE_FRAME); |
366 | 555 | codec->allocFrame(); |
367 | | |
368 | 27.6k | while (size > 0 && numDecodeCalls < kMaxNumDecodeCalls) { |
369 | 27.1k | IV_API_CALL_STATUS_T ret; |
370 | 27.1k | size_t bytesConsumed; |
371 | 27.1k | ret = codec->decodeFrame(data, size, &bytesConsumed); |
372 | | |
373 | 27.1k | bytesConsumed = std::min(size, bytesConsumed); |
374 | 27.1k | data += bytesConsumed; |
375 | 27.1k | size -= bytesConsumed; |
376 | 27.1k | numDecodeCalls++; |
377 | 27.1k | } |
378 | | |
379 | 555 | codec->freeFrame(); |
380 | 555 | codec->deleteCodec(); |
381 | 555 | delete codec; |
382 | 555 | return 0; |
383 | 555 | } |