Fuzz introspector: fuzzer-decoder
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
14 14 1 :

['oc_parse_amd_flags']

14 30 oc_cpu_flags_get call site: 00091 /src/libtheora/lib/x86/x86cpu.c:106
0 12 2 :

['oc_huff_trees_clear', 'oc_state_clear']

0 12 oc_dec_init call site: 00116 /src/libtheora/lib/decode.c:388
0 3 2 :

['free', 'oc_aligned_free']

0 3 oc_state_ref_bufs_init call site: 00108 /src/libtheora/lib/state.c:594
0 2 2 :

['oc_ycbcr_buffer_flip', 'malloc']

0 2 oc_dec_postprocess_init call site: 00190 /src/libtheora/lib/decode.c:1209
0 2 1 :

['oc_state_frarray_clear']

0 2 oc_state_init call site: 00107 /src/libtheora/lib/state.c:737
0 0 None 53 125 th_decode_packetin call site: 00205 /src/libtheora/lib/decode.c:2895
0 0 None 53 125 th_decode_packetin call site: 00211 /src/libtheora/lib/decode.c:2929
0 0 None 0 9 oc_dec_init call site: 00112 /src/libtheora/lib/decode.c:378
0 0 None 0 0 oc_pack_refill call site: 00015 /src/libtheora/lib/bitpack.c:48
0 0 None 0 0 oc_dec_headerin call site: 00014 /src/libtheora/lib/decinfo.c:200
0 0 None 0 0 oc_comment_unpack call site: 00047 /src/libtheora/lib/decinfo.c:141
0 0 None 0 0 oc_comment_unpack call site: 00049 /src/libtheora/lib/decinfo.c:153

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 fuzzing::datasource::Datasource::Datasource(unsigned char const*, unsigned long) [function] [call site] 00001
2 fuzzing::datasource::Base::Base() [function] [call site] 00002
1 TheoraDecoder::TheoraDecoder(fuzzing::datasource::Datasource&) [function] [call site] 00003
1 TheoraDecoder::Run() [function] [call site] 00004
2 TheoraDecoder::initialize() [function] [call site] 00005
3 th_info_init [function] [call site] 00006
3 th_comment_init [function] [call site] 00007
3 fuzzing::datasource::Base::GetData(unsigned long, unsigned long, unsigned long) [function] [call site] 00008
3 __cxa_begin_catch [call site] 00009
3 __cxa_end_catch [call site] 00010
3 th_decode_headerin [function] [call site] 00011
4 oc_pack_readinit [function] [call site] 00012
4 oc_dec_headerin [function] [call site] 00013
5 oc_pack_read_c [function] [call site] 00014
6 oc_pack_refill [function] [call site] 00015
5 oc_unpack_octets [function] [call site] 00016
6 oc_pack_read_c [function] [call site] 00017
5 memcmp [call site] 00018
5 oc_info_unpack [function] [call site] 00019
6 oc_pack_read_c [function] [call site] 00020
6 oc_pack_read_c [function] [call site] 00021
6 oc_pack_read_c [function] [call site] 00022
6 oc_pack_read_c [function] [call site] 00023
6 oc_pack_read_c [function] [call site] 00024
6 oc_pack_read_c [function] [call site] 00025
6 oc_pack_read_c [function] [call site] 00026
6 oc_pack_read_c [function] [call site] 00027
6 oc_pack_read_c [function] [call site] 00028
6 oc_pack_read_c [function] [call site] 00029
6 oc_pack_read_c [function] [call site] 00030
6 oc_pack_read_c [function] [call site] 00031
6 oc_pack_read_c [function] [call site] 00032
6 oc_pack_read_c [function] [call site] 00033
6 oc_pack_read_c [function] [call site] 00034
6 oc_pack_read_c [function] [call site] 00035
6 oc_pack_read_c [function] [call site] 00036
6 oc_pack_read_c [function] [call site] 00037
6 oc_pack_read_c [function] [call site] 00038
6 oc_pack_bytes_left [function] [call site] 00039
5 th_info_clear [function] [call site] 00040
5 oc_comment_unpack [function] [call site] 00041
6 oc_unpack_length [function] [call site] 00042
7 oc_pack_read_c [function] [call site] 00043
6 oc_pack_bytes_left [function] [call site] 00044
6 oc_unpack_octets [function] [call site] 00045
6 oc_unpack_length [function] [call site] 00046
6 oc_pack_bytes_left [function] [call site] 00047
6 oc_unpack_length [function] [call site] 00048
6 oc_pack_bytes_left [function] [call site] 00049
6 oc_unpack_octets [function] [call site] 00050
6 oc_pack_bytes_left [function] [call site] 00051
5 th_comment_clear [function] [call site] 00052
5 calloc [call site] 00053
5 oc_setup_unpack [function] [call site] 00054
6 oc_quant_params_unpack [function] [call site] 00055
7 oc_pack_read_c [function] [call site] 00056
7 oc_pack_read_c [function] [call site] 00057
7 oc_pack_read_c [function] [call site] 00058
7 oc_pack_read_c [function] [call site] 00059
7 oc_pack_read_c [function] [call site] 00060
7 oc_pack_read1_c [function] [call site] 00062
7 oc_pack_read_c [function] [call site] 00063
7 oc_pack_read_c [function] [call site] 00065
6 oc_huff_trees_unpack [function] [call site] 00066
7 oc_huff_tree_unpack [function] [call site] 00067
8 oc_pack_read1_c [function] [call site] 00068
8 oc_pack_bytes_left [function] [call site] 00069
8 oc_pack_read_c [function] [call site] 00070
7 oc_huff_tree_collapse [function] [call site] 00071
8 oc_huff_tree_collapse_depth [function] [call site] 00072
9 oc_huff_subtree_tokens [function] [call site] 00073
10 oc_huff_subtree_tokens [function] [call site] 00074
8 oc_huff_node_size [function] [call site] 00075
8 oc_huff_subtree_tokens [function] [call site] 00076
7 oc_huff_tree_collapse [function] [call site] 00077
5 oc_setup_clear [function] [call site] 00078
6 oc_quant_params_clear [function] [call site] 00079
6 oc_huff_trees_clear [function] [call site] 00080
3 TheoraDecoder::processComments() const [function] [call site] 00081
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00082
5 fuzzing::memory::memory_test_asan(void const*, unsigned long) [function] [call site] 00083
5 fuzzing::memory::memory_test_msan(void const*, unsigned long) [function] [call site] 00084
3 th_decode_alloc [function] [call site] 00085
4 oc_aligned_malloc [function] [call site] 00086
4 oc_dec_init [function] [call site] 00087
5 oc_state_init [function] [call site] 00088
6 oc_state_accel_init_x86 [function] [call site] 00089
7 oc_state_accel_init_c [function] [call site] 00090
7 oc_cpu_flags_get [function] [call site] 00091
8 oc_parse_intel_flags [function] [call site] 00092
8 oc_parse_amd_flags [function] [call site] 00093
8 oc_parse_intel_flags [function] [call site] 00094
8 oc_parse_intel_flags [function] [call site] 00095
8 oc_parse_amd_flags [function] [call site] 00096
6 oc_state_frarray_init [function] [call site] 00097
7 calloc [call site] 00098
7 calloc [call site] 00099
7 calloc [call site] 00100
7 calloc [call site] 00101
7 oc_sb_create_plane_mapping [function] [call site] 00102
8 oc_sb_quad_top_left_frag [function] [call site] 00103
7 oc_mb_create_mapping [function] [call site] 00104
8 oc_mb_fill_ymapping [function] [call site] 00105
7 oc_state_border_init [function] [call site] 00106
6 oc_state_ref_bufs_init [function] [call site] 00107
7 oc_aligned_malloc [function] [call site] 00108
7 oc_aligned_free [function] [call site] 00109
7 oc_ycbcr_buffer_flip [function] [call site] 00110
6 oc_state_frarray_clear [function] [call site] 00111
5 oc_huff_trees_copy [function] [call site] 00112
6 oc_huff_tree_size [function] [call site] 00113
7 oc_huff_node_size [function] [call site] 00114
7 oc_huff_tree_size [function] [call site] 00115
5 oc_state_clear [function] [call site] 00116
6 oc_state_ref_bufs_clear [function] [call site] 00117
7 oc_aligned_free [function] [call site] 00118
6 oc_state_frarray_clear [function] [call site] 00119
5 oc_huff_trees_clear [function] [call site] 00120
5 oc_state_clear [function] [call site] 00121
5 oc_dequant_tables_init [function] [call site] 00122
6 memcmp [call site] 00123
5 oc_dec_accel_init_c [function] [call site] 00124
4 oc_aligned_free [function] [call site] 00125
3 th_setup_free [function] [call site] 00126
4 oc_setup_clear [function] [call site] 00127
2 bool fuzzing::datasource::Base::Get<bool>(unsigned long) [function] [call site] 00128
2 TheoraDecoder::decodePacket() [function] [call site] 00129
3 fuzzing::datasource::Base::GetData(unsigned long, unsigned long, unsigned long) [function] [call site] 00130
3 th_decode_packetin [function] [call site] 00131
4 oc_pack_readinit [function] [call site] 00132
4 oc_dec_frame_header_unpack [function] [call site] 00133
5 oc_pack_read1_c [function] [call site] 00134
5 oc_pack_read1_c [function] [call site] 00135
5 oc_pack_read_c [function] [call site] 00136
5 oc_pack_read1_c [function] [call site] 00137
5 oc_pack_read_c [function] [call site] 00138
5 oc_pack_read1_c [function] [call site] 00139
5 oc_pack_read_c [function] [call site] 00140
5 oc_pack_read_c [function] [call site] 00141
4 oc_dec_mark_all_intra [function] [call site] 00142
4 oc_dec_coded_flags_unpack [function] [call site] 00143
5 oc_dec_partial_sb_flags_unpack [function] [call site] 00144
6 oc_pack_read1_c [function] [call site] 00145
6 oc_sb_run_unpack [function] [call site] 00146
7 oc_huff_token_decode_c [function] [call site] 00147
7 oc_pack_read_c [function] [call site] 00148
6 oc_pack_read1_c [function] [call site] 00149
5 oc_dec_coded_sb_flags_unpack [function] [call site] 00150
6 oc_pack_read1_c [function] [call site] 00151
6 oc_sb_run_unpack [function] [call site] 00152
6 oc_pack_read1_c [function] [call site] 00153
5 oc_pack_read1_c [function] [call site] 00154
5 oc_block_run_unpack [function] [call site] 00155
6 oc_huff_token_decode_c [function] [call site] 00156
4 oc_dec_init_dummy_frame [function] [call site] 00157
4 oc_dec_mb_modes_unpack [function] [call site] 00158
5 oc_pack_read_c [function] [call site] 00159
5 oc_pack_read_c [function] [call site] 00160
5 oc_huff_token_decode_c [function] [call site] 00161
4 oc_dec_mv_unpack_and_frag_modes_fill [function] [call site] 00162
5 oc_pack_read1_c [function] [call site] 00163
5 oc_mv_unpack [function] [call site] 00164
6 oc_huff_token_decode_c [function] [call site] 00165
6 oc_huff_token_decode_c [function] [call site] 00166
5 oc_mv_unpack [function] [call site] 00167
5 oc_mv_unpack [function] [call site] 00168
4 oc_dec_block_qis_unpack [function] [call site] 00169
5 oc_pack_read1_c [function] [call site] 00170
5 oc_sb_run_unpack [function] [call site] 00171
5 oc_pack_read1_c [function] [call site] 00172
5 oc_pack_read1_c [function] [call site] 00173
5 oc_sb_run_unpack [function] [call site] 00174
5 oc_pack_read1_c [function] [call site] 00175
4 oc_dec_residual_tokens_unpack [function] [call site] 00176
5 oc_pack_read_c [function] [call site] 00177
5 oc_pack_read_c [function] [call site] 00178
5 oc_dec_dc_coeff_unpack [function] [call site] 00179
6 oc_huff_token_decode_c [function] [call site] 00180
6 oc_pack_read_c [function] [call site] 00181
5 oc_pack_read_c [function] [call site] 00182
5 oc_pack_read_c [function] [call site] 00183
5 oc_dec_ac_coeff_unpack [function] [call site] 00184
6 oc_huff_token_decode_c [function] [call site] 00185
6 oc_pack_read_c [function] [call site] 00186
4 oc_dec_pipeline_init [function] [call site] 00187
5 oc_loop_filter_init_mmxext [function] [call site] 00188
5 oc_dec_postprocess_init [function] [call site] 00189
6 oc_restore_fpu_mmx [function] [call site] 00190
6 oc_ycbcr_buffer_flip [function] [call site] 00191
4 oc_ycbcr_buffer_flip [function] [call site] 00192
4 oc_dec_dc_unpredict_mcu_plane_c [function] [call site] 00193
4 oc_dec_frags_recon_mcu_plane [function] [call site] 00194
5 oc_state_frag_recon_mmx [function] [call site] 00195
6 oc_idct8x8_sse2 [function] [call site] 00196
7 oc_idct8x8_10_sse2 [function] [call site] 00197
7 oc_idct8x8_slow_sse2 [function] [call site] 00198
6 oc_frag_recon_intra_mmx [function] [call site] 00199
6 oc_state_get_mv_offsets [function] [call site] 00200
6 oc_frag_recon_inter2_mmx [function] [call site] 00201
6 oc_frag_recon_inter_mmx [function] [call site] 00202
5 oc_frag_copy_list_mmx [function] [call site] 00203
4 oc_state_loop_filter_frag_rows_mmxext [function] [call site] 00204
4 oc_state_borders_fill_rows [function] [call site] 00205
4 oc_dec_deblock_frag_rows [function] [call site] 00206
5 oc_filter_hedge [function] [call site] 00207
5 oc_filter_hedge [function] [call site] 00208
5 oc_filter_vedge [function] [call site] 00209
5 oc_filter_vedge [function] [call site] 00210
4 oc_dec_dering_frag_rows [function] [call site] 00211
5 oc_dering_block [function] [call site] 00212
5 oc_dering_block [function] [call site] 00213
5 oc_dering_block [function] [call site] 00214
5 oc_dering_block [function] [call site] 00215
5 oc_dering_block [function] [call site] 00216
4 oc_restore_fpu_mmx [function] [call site] 00217
4 oc_state_borders_fill_caps [function] [call site] 00218
4 oc_restore_fpu_mmx [function] [call site] 00219
3 void fuzzing::memory::memory_test<long>(long const&) [function] [call site] 00220
3 th_decode_ycbcr_out [function] [call site] 00221
4 oc_ycbcr_buffer_flip [function] [call site] 00222
3 TheoraDecoder::writeImage(th_img_plane const (&) [3]) const [function] [call site] 00223
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00224
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00225
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00226
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00227
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00228
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00229
2 __cxa_begin_catch [call site] 00230
1 TheoraDecoder::~TheoraDecoder() [function] [call site] 00231
2 th_info_clear [function] [call site] 00232
2 th_comment_clear [function] [call site] 00233
2 th_decode_free [function] [call site] 00234
3 oc_dec_clear [function] [call site] 00235
4 oc_huff_trees_clear [function] [call site] 00236
4 oc_state_clear [function] [call site] 00237
3 oc_aligned_free [function] [call site] 00238
2 th_setup_free [function] [call site] 00239
2 __clang_call_terminate [call site] 00240
3 __cxa_begin_catch [call site] 00241
1 fuzzing::datasource::Datasource::~Datasource() [function] [call site] 00242
2 fuzzing::datasource::Base::~Base() [function] [call site] 00243