/src/libvpx/examples/vpx_dec_fuzzer.cc

Source
/*
 *  Copyright (c) 2018 The WebM project authors. All Rights Reserved.
 *
 *  Use of this source code is governed by a BSD-style license
 *  that can be found in the LICENSE file in the root of the source
 *  tree. An additional intellectual property rights grant can be found
 *  in the file PATENTS.  All contributing project authors may
 *  be found in the AUTHORS file in the root of the source tree.
 */

/*
 * Fuzzer for libvpx decoders
 * ==========================
 * Requirements
 * --------------
 * Requires Clang 6.0 or above as -fsanitize=fuzzer is used as a linker
 * option.

 * Steps to build
 * --------------
 * Clone libvpx repository
   $git clone https://chromium.googlesource.com/webm/libvpx

 * Create a directory in parallel to libvpx and change directory
   $mkdir vpx_dec_fuzzer
   $cd vpx_dec_fuzzer/

 * Enable sanitizers (Supported: address integer memory thread undefined)
   $source ../libvpx/tools/set_analyzer_env.sh address

 * Configure libvpx.
 * Note --size-limit and VPX_MAX_ALLOCABLE_MEMORY are defined to avoid
 * Out of memory errors when running generated fuzzer binary
   $../libvpx/configure --disable-unit-tests --size-limit=12288x12288 \
   --extra-cflags="-fsanitize=fuzzer-no-link \
   -DVPX_MAX_ALLOCABLE_MEMORY=1073741824" \
   --disable-webm-io --enable-debug --disable-vp8-encoder \
   --disable-vp9-encoder --disable-examples

 * Build libvpx
   $make -j32

 * Build vp9 fuzzer
   $ $CXX $CXXFLAGS -std=gnu++17 -Wall -Wextra -Wimplicit-fallthrough \
   -DDECODER=vp9 -fsanitize=fuzzer -I../libvpx -I. -Wl,--start-group \
   ../libvpx/examples/vpx_dec_fuzzer.cc -o ./vpx_dec_fuzzer_vp9 \
   ./libvpx.a -Wl,--end-group

 * DECODER should be defined as vp9 or vp8 to enable vp9/vp8
 *
 * create a corpus directory and copy some ivf files there.
 * Based on which codec (vp8/vp9) is being tested, it is recommended to
 * have corresponding ivf files in corpus directory
 * Empty corpus directoy also is acceptable, though not recommended
   $mkdir CORPUS && cp some-files CORPUS

 * Run fuzzing:
   $./vpx_dec_fuzzer_vp9 CORPUS

 * References:
 * http://llvm.org/docs/LibFuzzer.html
 * https://github.com/google/oss-fuzz
 */

#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <algorithm>
#include <memory>

#include "third_party/nalloc/nalloc.h"
#include "vpx/vp8dx.h"
#include "vpx/vpx_decoder.h"
#include "vpx_ports/mem_ops.h"

#define IVF_FRAME_HDR_SZ (4 + 8) /* 4 byte size + 8 byte timestamp */
#define IVF_FILE_HDR_SZ 32

#define VPXD_INTERFACE(name) VPXD_INTERFACE_(name)
#define VPXD_INTERFACE_(name) vpx_codec_##name##_dx()

extern "C" void usage_exit(void) { exit(EXIT_FAILURE); }

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  if (size <= IVF_FILE_HDR_SZ) {
    return 0;
  }
  nalloc_init(nullptr);

  vpx_codec_ctx_t codec;
  // Set thread count in the range [1, 64].
  const unsigned int threads = (data[IVF_FILE_HDR_SZ] & 0x3f) + 1;
  vpx_codec_dec_cfg_t cfg = { threads, 0, 0 };
  vpx_codec_flags_t flags = 0;
  if ((data[IVF_FILE_HDR_SZ] & 0x40) != 0) {
    flags |= VPX_CODEC_USE_POSTPROC;
  }
  vpx_codec_err_t err =
      vpx_codec_dec_init(&codec, VPXD_INTERFACE(DECODER), &cfg, flags);
  if (err == VPX_CODEC_INCAPABLE) {
    // vpx_codec_dec_init may fail with VPX_CODEC_USE_POSTPROC
    // if the library is configured with --disable-postproc.
    flags = 0;
    if (vpx_codec_dec_init(&codec, VPXD_INTERFACE(DECODER), &cfg, flags)) {
      return 0;
    }
  } else if (err != 0) {
    return 0;
  }

  nalloc_start(data, size);

  if (threads > 1) {
    const int enable = (data[IVF_FILE_HDR_SZ] & 0xa0) != 0;
    err = vpx_codec_control(&codec, VP9D_SET_LOOP_FILTER_OPT, enable);
  }

  data += IVF_FILE_HDR_SZ;
  size -= IVF_FILE_HDR_SZ;

  int frame_cnt = 0;
  while (size > IVF_FRAME_HDR_SZ) {
    size_t frame_size = mem_get_le32(data);
    size -= IVF_FRAME_HDR_SZ;
    data += IVF_FRAME_HDR_SZ;
    frame_size = std::min(size, frame_size);

    vpx_codec_stream_info_t stream_info;
    stream_info.sz = sizeof(stream_info);
    err = vpx_codec_peek_stream_info(VPXD_INTERFACE(DECODER), data, size,
                                     &stream_info);

    ++frame_cnt;
    if (flags & VPX_CODEC_USE_POSTPROC) {
      if (frame_cnt % 16 == 4) {
        vp8_postproc_cfg_t pp = { 0, 0, 0 };
        if (vpx_codec_control(&codec, VP8_SET_POSTPROC, &pp)) goto fail;
      } else if (frame_cnt % 16 == 12) {
        vp8_postproc_cfg_t pp = { VP8_DEBLOCK | VP8_DEMACROBLOCK | VP8_MFQE, 4,
                                  0 };
        if (vpx_codec_control(&codec, VP8_SET_POSTPROC, &pp)) goto fail;
      }
    }

    err = vpx_codec_decode(&codec, data, frame_size, nullptr, 0);
    static_cast<void>(err);
    vpx_codec_iter_t iter = nullptr;
    vpx_image_t *img = nullptr;
    while ((img = vpx_codec_get_frame(&codec, &iter)) != nullptr) {
    }
    data += frame_size;
    size -= frame_size;
  }
fail:
  vpx_codec_destroy(&codec);
  nalloc_end();
  return 0;
}

Line	Count	Source
1		/*
2		* Copyright (c) 2018 The WebM project authors. All Rights Reserved.
3		*
4		* Use of this source code is governed by a BSD-style license
5		* that can be found in the LICENSE file in the root of the source
6		* tree. An additional intellectual property rights grant can be found
7		* in the file PATENTS. All contributing project authors may
8		* be found in the AUTHORS file in the root of the source tree.
9		*/
10
11		/*
12		* Fuzzer for libvpx decoders
13		* ==========================
14		* Requirements
15		* --------------
16		* Requires Clang 6.0 or above as -fsanitize=fuzzer is used as a linker
17		* option.
18
19		* Steps to build
20		* --------------
21		* Clone libvpx repository
22		$git clone https://chromium.googlesource.com/webm/libvpx
23
24		* Create a directory in parallel to libvpx and change directory
25		$mkdir vpx_dec_fuzzer
26		$cd vpx_dec_fuzzer/
27
28		* Enable sanitizers (Supported: address integer memory thread undefined)
29		$source ../libvpx/tools/set_analyzer_env.sh address
30
31		* Configure libvpx.
32		* Note --size-limit and VPX_MAX_ALLOCABLE_MEMORY are defined to avoid
33		* Out of memory errors when running generated fuzzer binary
34		$../libvpx/configure --disable-unit-tests --size-limit=12288x12288 \
35		--extra-cflags="-fsanitize=fuzzer-no-link \
36		-DVPX_MAX_ALLOCABLE_MEMORY=1073741824" \
37		--disable-webm-io --enable-debug --disable-vp8-encoder \
38		--disable-vp9-encoder --disable-examples
39
40		* Build libvpx
41		$make -j32
42
43		* Build vp9 fuzzer
44		$ $CXX $CXXFLAGS -std=gnu++17 -Wall -Wextra -Wimplicit-fallthrough \
45		-DDECODER=vp9 -fsanitize=fuzzer -I../libvpx -I. -Wl,--start-group \
46		../libvpx/examples/vpx_dec_fuzzer.cc -o ./vpx_dec_fuzzer_vp9 \
47		./libvpx.a -Wl,--end-group
48
49		* DECODER should be defined as vp9 or vp8 to enable vp9/vp8
50		*
51		* create a corpus directory and copy some ivf files there.
52		* Based on which codec (vp8/vp9) is being tested, it is recommended to
53		* have corresponding ivf files in corpus directory
54		* Empty corpus directoy also is acceptable, though not recommended
55		$mkdir CORPUS && cp some-files CORPUS
56
57		* Run fuzzing:
58		$./vpx_dec_fuzzer_vp9 CORPUS
59
60		* References:
61		* http://llvm.org/docs/LibFuzzer.html
62		* https://github.com/google/oss-fuzz
63		*/
64
65		#include <stddef.h>
66		#include <stdint.h>
67		#include <stdio.h>
68		#include <stdlib.h>
69		#include <algorithm>
70		#include <memory>
71
72		#include "third_party/nalloc/nalloc.h"
73		#include "vpx/vp8dx.h"
74		#include "vpx/vpx_decoder.h"
75		#include "vpx_ports/mem_ops.h"
76
77	3.09M	#define IVF_FRAME_HDR_SZ (4 + 8) /* 4 byte size + 8 byte timestamp */
78	281k	#define IVF_FILE_HDR_SZ 32
79
80	1.01M	#define VPXD_INTERFACE(name) VPXD_INTERFACE_(name)
81	1.01M	#define VPXD_INTERFACE_(name) vpx_codec_##name##_dx()
82
83	0	extern "C" void usage_exit(void) { exit(EXIT_FAILURE); }
84
85	48.9k	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
86	48.9k	if (size <= IVF_FILE_HDR_SZ) {
87	39	return 0;
88	39	}
89	48.9k	nalloc_init(nullptr);
90
91	48.9k	vpx_codec_ctx_t codec;
92		// Set thread count in the range [1, 64].
93	48.9k	const unsigned int threads = (data[IVF_FILE_HDR_SZ] & 0x3f) + 1;
94	48.9k	vpx_codec_dec_cfg_t cfg = { threads, 0, 0 };
95	48.9k	vpx_codec_flags_t flags = 0;
96	48.9k	if ((data[IVF_FILE_HDR_SZ] & 0x40) != 0) {
97	13.1k	flags \|= VPX_CODEC_USE_POSTPROC;
98	13.1k	}
99	48.9k	vpx_codec_err_t err =
100	48.9k	vpx_codec_dec_init(&codec, VPXD_INTERFACE(DECODER), &cfg, flags);
101	48.9k	if (err == VPX_CODEC_INCAPABLE) {
102		// vpx_codec_dec_init may fail with VPX_CODEC_USE_POSTPROC
103		// if the library is configured with --disable-postproc.
104	9.62k	flags = 0;
105	9.62k	if (vpx_codec_dec_init(&codec, VPXD_INTERFACE(DECODER), &cfg, flags)) {
106	0	return 0;
107	0	}
108	39.3k	} else if (err != 0) {
109	0	return 0;
110	0	}
111
112	48.9k	nalloc_start(data, size);
113
114	48.9k	if (threads > 1) {
115	36.7k	const int enable = (data[IVF_FILE_HDR_SZ] & 0xa0) != 0;
116	36.7k	err = vpx_codec_control(&codec, VP9D_SET_LOOP_FILTER_OPT, enable);
117	36.7k	}
118
119	48.9k	data += IVF_FILE_HDR_SZ;
120	48.9k	size -= IVF_FILE_HDR_SZ;
121
122	48.9k	int frame_cnt = 0;
123	1.06M	while (size > IVF_FRAME_HDR_SZ) {
124	1.01M	size_t frame_size = mem_get_le32(data);
125	1.01M	size -= IVF_FRAME_HDR_SZ;
126	1.01M	data += IVF_FRAME_HDR_SZ;
127	1.01M	frame_size = std::min(size, frame_size);
128
129	1.01M	vpx_codec_stream_info_t stream_info;
130	1.01M	stream_info.sz = sizeof(stream_info);
131	1.01M	err = vpx_codec_peek_stream_info(VPXD_INTERFACE(DECODER), data, size,
132	1.01M	&stream_info);
133
134	1.01M	++frame_cnt;
135	1.01M	if (flags & VPX_CODEC_USE_POSTPROC) {
136	116k	if (frame_cnt % 16 == 4) {
137	7.39k	vp8_postproc_cfg_t pp = { 0, 0, 0 };
138	7.39k	if (vpx_codec_control(&codec, VP8_SET_POSTPROC, &pp)) goto fail;
139	108k	} else if (frame_cnt % 16 == 12) {
140	6.90k	vp8_postproc_cfg_t pp = { VP8_DEBLOCK \| VP8_DEMACROBLOCK \| VP8_MFQE, 4,
141	6.90k	0 };
142	6.90k	if (vpx_codec_control(&codec, VP8_SET_POSTPROC, &pp)) goto fail;
143	6.90k	}
144	116k	}
145
146	1.01M	err = vpx_codec_decode(&codec, data, frame_size, nullptr, 0);
147	1.01M	static_cast<void>(err);
148	1.01M	vpx_codec_iter_t iter = nullptr;
149	1.01M	vpx_image_t *img = nullptr;
150	1.08M	while ((img = vpx_codec_get_frame(&codec, &iter)) != nullptr) {
151	71.1k	}
152	1.01M	data += frame_size;
153	1.01M	size -= frame_size;
154	1.01M	}
155	48.9k	fail:
156	48.9k	vpx_codec_destroy(&codec);
157	48.9k	nalloc_end();
158	48.9k	return 0;
159	48.9k	}

Coverage Report

Created: 2026-02-14 06:20