/src/libvpx/examples/vpx_dec_fuzzer.cc
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 2018 The WebM project authors. All Rights Reserved. |
3 | | * |
4 | | * Use of this source code is governed by a BSD-style license |
5 | | * that can be found in the LICENSE file in the root of the source |
6 | | * tree. An additional intellectual property rights grant can be found |
7 | | * in the file PATENTS. All contributing project authors may |
8 | | * be found in the AUTHORS file in the root of the source tree. |
9 | | */ |
10 | | |
11 | | /* |
12 | | * Fuzzer for libvpx decoders |
13 | | * ========================== |
14 | | * Requirements |
15 | | * -------------- |
16 | | * Requires Clang 6.0 or above as -fsanitize=fuzzer is used as a linker |
17 | | * option. |
18 | | |
19 | | * Steps to build |
20 | | * -------------- |
21 | | * Clone libvpx repository |
22 | | $git clone https://chromium.googlesource.com/webm/libvpx |
23 | | |
24 | | * Create a directory in parallel to libvpx and change directory |
25 | | $mkdir vpx_dec_fuzzer |
26 | | $cd vpx_dec_fuzzer/ |
27 | | |
28 | | * Enable sanitizers (Supported: address integer memory thread undefined) |
29 | | $source ../libvpx/tools/set_analyzer_env.sh address |
30 | | |
31 | | * Configure libvpx. |
32 | | * Note --size-limit and VPX_MAX_ALLOCABLE_MEMORY are defined to avoid |
33 | | * Out of memory errors when running generated fuzzer binary |
34 | | $../libvpx/configure --disable-unit-tests --size-limit=12288x12288 \ |
35 | | --extra-cflags="-fsanitize=fuzzer-no-link \ |
36 | | -DVPX_MAX_ALLOCABLE_MEMORY=1073741824" \ |
37 | | --disable-webm-io --enable-debug --disable-vp8-encoder \ |
38 | | --disable-vp9-encoder --disable-examples |
39 | | |
40 | | * Build libvpx |
41 | | $make -j32 |
42 | | |
43 | | * Build vp9 fuzzer |
44 | | $ $CXX $CXXFLAGS -std=gnu++17 -DDECODER=vp9 \ |
45 | | -fsanitize=fuzzer -I../libvpx -I. -Wl,--start-group \ |
46 | | ../libvpx/examples/vpx_dec_fuzzer.cc -o ./vpx_dec_fuzzer_vp9 \ |
47 | | ./libvpx.a -Wl,--end-group |
48 | | |
49 | | * DECODER should be defined as vp9 or vp8 to enable vp9/vp8 |
50 | | * |
51 | | * create a corpus directory and copy some ivf files there. |
52 | | * Based on which codec (vp8/vp9) is being tested, it is recommended to |
53 | | * have corresponding ivf files in corpus directory |
54 | | * Empty corpus directoy also is acceptable, though not recommended |
55 | | $mkdir CORPUS && cp some-files CORPUS |
56 | | |
57 | | * Run fuzzing: |
58 | | $./vpx_dec_fuzzer_vp9 CORPUS |
59 | | |
60 | | * References: |
61 | | * http://llvm.org/docs/LibFuzzer.html |
62 | | * https://github.com/google/oss-fuzz |
63 | | */ |
64 | | |
65 | | #include <stddef.h> |
66 | | #include <stdint.h> |
67 | | #include <stdio.h> |
68 | | #include <stdlib.h> |
69 | | #include <algorithm> |
70 | | #include <memory> |
71 | | |
72 | | #include "vpx/vp8dx.h" |
73 | | #include "vpx/vpx_decoder.h" |
74 | | #include "vpx_ports/mem_ops.h" |
75 | | |
76 | 685k | #define IVF_FRAME_HDR_SZ (4 + 8) /* 4 byte size + 8 byte timestamp */ |
77 | 90.7k | #define IVF_FILE_HDR_SZ 32 |
78 | | |
79 | 222k | #define VPXD_INTERFACE(name) VPXD_INTERFACE_(name) |
80 | 222k | #define VPXD_INTERFACE_(name) vpx_codec_##name##_dx() |
81 | | |
82 | 0 | extern "C" void usage_exit(void) { exit(EXIT_FAILURE); } |
83 | | |
84 | 18.8k | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { |
85 | 18.8k | if (size <= IVF_FILE_HDR_SZ) { |
86 | 18 | return 0; |
87 | 18 | } |
88 | | |
89 | 18.8k | vpx_codec_ctx_t codec; |
90 | | // Set thread count in the range [1, 64]. |
91 | 18.8k | const unsigned int threads = (data[IVF_FILE_HDR_SZ] & 0x3f) + 1; |
92 | 18.8k | vpx_codec_dec_cfg_t cfg = { threads, 0, 0 }; |
93 | 18.8k | if (vpx_codec_dec_init(&codec, VPXD_INTERFACE(DECODER), &cfg, 0)) { |
94 | 0 | return 0; |
95 | 0 | } |
96 | | |
97 | 18.8k | if (threads > 1) { |
98 | 15.4k | const int enable = (data[IVF_FILE_HDR_SZ] & 0xa0) != 0; |
99 | 15.4k | const vpx_codec_err_t err = |
100 | 15.4k | vpx_codec_control(&codec, VP9D_SET_LOOP_FILTER_OPT, enable); |
101 | 15.4k | static_cast<void>(err); |
102 | 15.4k | } |
103 | | |
104 | 18.8k | data += IVF_FILE_HDR_SZ; |
105 | 18.8k | size -= IVF_FILE_HDR_SZ; |
106 | | |
107 | 240k | while (size > IVF_FRAME_HDR_SZ) { |
108 | 222k | size_t frame_size = mem_get_le32(data); |
109 | 222k | size -= IVF_FRAME_HDR_SZ; |
110 | 222k | data += IVF_FRAME_HDR_SZ; |
111 | 222k | frame_size = std::min(size, frame_size); |
112 | | |
113 | 222k | vpx_codec_stream_info_t stream_info; |
114 | 222k | stream_info.sz = sizeof(stream_info); |
115 | 222k | vpx_codec_err_t err = vpx_codec_peek_stream_info(VPXD_INTERFACE(DECODER), |
116 | 222k | data, size, &stream_info); |
117 | 222k | static_cast<void>(err); |
118 | | |
119 | 222k | err = vpx_codec_decode(&codec, data, frame_size, nullptr, 0); |
120 | 222k | static_cast<void>(err); |
121 | 222k | vpx_codec_iter_t iter = nullptr; |
122 | 222k | vpx_image_t *img = nullptr; |
123 | 270k | while ((img = vpx_codec_get_frame(&codec, &iter)) != nullptr) { |
124 | 48.6k | } |
125 | 222k | data += frame_size; |
126 | 222k | size -= frame_size; |
127 | 222k | } |
128 | 18.8k | vpx_codec_destroy(&codec); |
129 | 18.8k | return 0; |
130 | 18.8k | } |