Fuzz introspector: fuzzer-decoder
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 12 2 :

['oc_huff_trees_clear', 'oc_state_clear']

0 12 oc_dec_init call site: 00118 /src/libtheora/lib/decode.c:388
0 3 2 :

['oc_aligned_free', 'free']

0 3 oc_state_ref_bufs_init call site: 00110 /src/libtheora/lib/state.c:594
0 2 2 :

['malloc', 'oc_ycbcr_buffer_flip']

0 2 oc_dec_postprocess_init call site: 00192 /src/libtheora/lib/decode.c:1209
0 2 1 :

['oc_state_frarray_clear']

0 2 oc_state_init call site: 00109 /src/libtheora/lib/state.c:737
0 0 None 53 125 th_decode_packetin call site: 00207 /src/libtheora/lib/decode.c:2895
0 0 None 53 125 th_decode_packetin call site: 00213 /src/libtheora/lib/decode.c:2929
0 0 None 0 15 oc_cpu_flags_get call site: 00094 /src/libtheora/lib/x86/x86cpu.c:123
0 0 None 0 9 oc_dec_init call site: 00114 /src/libtheora/lib/decode.c:378
0 0 None 0 8 oc_cpu_flags_get call site: 00093 /src/libtheora/lib/x86/x86cpu.c:106
0 0 None 0 0 oc_pack_refill call site: 00015 /src/libtheora/lib/bitpack.c:48
0 0 None 0 0 oc_dec_headerin call site: 00014 /src/libtheora/lib/decinfo.c:205
0 0 None 0 0 oc_comment_unpack call site: 00047 /src/libtheora/lib/decinfo.c:142

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 fuzzing::datasource::Datasource::Datasource(unsigned char const*, unsigned long) [function] [call site] 00001
2 fuzzing::datasource::Base::Base() [function] [call site] 00002
1 TheoraDecoder::TheoraDecoder(fuzzing::datasource::Datasource&) [function] [call site] 00003
1 TheoraDecoder::Run() [function] [call site] 00004
2 TheoraDecoder::initialize() [function] [call site] 00005
3 th_info_init [function] [call site] 00006
3 th_comment_init [function] [call site] 00007
3 fuzzing::datasource::Base::GetData(unsigned long, unsigned long, unsigned long) [function] [call site] 00008
3 __cxa_begin_catch [call site] 00009
3 __cxa_end_catch [call site] 00010
3 th_decode_headerin [function] [call site] 00011
4 oc_pack_readinit [function] [call site] 00012
4 oc_dec_headerin [function] [call site] 00013
5 oc_pack_read_c [function] [call site] 00014
6 oc_pack_refill [function] [call site] 00015
5 oc_unpack_octets [function] [call site] 00016
6 oc_pack_read_c [function] [call site] 00017
5 memcmp [call site] 00018
5 oc_info_unpack [function] [call site] 00019
6 oc_pack_read_c [function] [call site] 00020
6 oc_pack_read_c [function] [call site] 00021
6 oc_pack_read_c [function] [call site] 00022
6 oc_pack_read_c [function] [call site] 00023
6 oc_pack_read_c [function] [call site] 00024
6 oc_pack_read_c [function] [call site] 00025
6 oc_pack_read_c [function] [call site] 00026
6 oc_pack_read_c [function] [call site] 00027
6 oc_pack_read_c [function] [call site] 00028
6 oc_pack_read_c [function] [call site] 00029
6 oc_pack_read_c [function] [call site] 00030
6 oc_pack_read_c [function] [call site] 00031
6 oc_pack_read_c [function] [call site] 00032
6 oc_pack_read_c [function] [call site] 00033
6 oc_pack_read_c [function] [call site] 00034
6 oc_pack_read_c [function] [call site] 00035
6 oc_pack_read_c [function] [call site] 00036
6 oc_pack_read_c [function] [call site] 00037
6 oc_pack_read_c [function] [call site] 00038
6 oc_pack_bytes_left [function] [call site] 00039
5 th_info_clear [function] [call site] 00040
5 oc_comment_unpack [function] [call site] 00041
6 oc_unpack_length [function] [call site] 00042
7 oc_pack_read_c [function] [call site] 00043
6 oc_pack_bytes_left [function] [call site] 00044
6 oc_unpack_octets [function] [call site] 00045
6 oc_unpack_length [function] [call site] 00046
6 oc_pack_bytes_left [function] [call site] 00047
6 oc_unpack_length [function] [call site] 00048
6 oc_pack_bytes_left [function] [call site] 00049
6 oc_unpack_octets [function] [call site] 00050
6 oc_pack_bytes_left [function] [call site] 00051
5 th_comment_clear [function] [call site] 00052
5 calloc [call site] 00053
5 oc_setup_unpack [function] [call site] 00054
6 oc_quant_params_unpack [function] [call site] 00055
7 oc_pack_read_c [function] [call site] 00056
7 oc_pack_read_c [function] [call site] 00057
7 oc_pack_read_c [function] [call site] 00058
7 oc_pack_read_c [function] [call site] 00059
7 oc_pack_read_c [function] [call site] 00060
7 oc_pack_read1_c [function] [call site] 00062
8 oc_pack_refill [function] [call site] 00063
7 oc_pack_read1_c [function] [call site] 00064
7 oc_pack_read_c [function] [call site] 00065
7 oc_pack_read_c [function] [call site] 00067
6 oc_huff_trees_unpack [function] [call site] 00068
7 oc_huff_tree_unpack [function] [call site] 00069
8 oc_pack_read1_c [function] [call site] 00070
8 oc_pack_bytes_left [function] [call site] 00071
8 oc_pack_read_c [function] [call site] 00072
7 oc_huff_tree_collapse [function] [call site] 00073
8 oc_huff_tree_collapse_depth [function] [call site] 00074
9 oc_huff_subtree_tokens [function] [call site] 00075
10 oc_huff_subtree_tokens [function] [call site] 00076
8 oc_huff_node_size [function] [call site] 00077
8 oc_huff_subtree_tokens [function] [call site] 00078
7 oc_huff_tree_collapse [function] [call site] 00079
5 oc_setup_clear [function] [call site] 00080
6 oc_quant_params_clear [function] [call site] 00081
6 oc_huff_trees_clear [function] [call site] 00082
3 TheoraDecoder::processComments() const [function] [call site] 00083
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00084
5 fuzzing::memory::memory_test_asan(void const*, unsigned long) [function] [call site] 00085
5 fuzzing::memory::memory_test_msan(void const*, unsigned long) [function] [call site] 00086
3 th_decode_alloc [function] [call site] 00087
4 oc_aligned_malloc [function] [call site] 00088
4 oc_dec_init [function] [call site] 00089
5 oc_state_init [function] [call site] 00090
6 oc_state_accel_init_x86 [function] [call site] 00091
7 oc_state_accel_init_c [function] [call site] 00092
7 oc_cpu_flags_get [function] [call site] 00093
8 oc_parse_intel_flags [function] [call site] 00094
8 oc_parse_amd_flags [function] [call site] 00095
8 oc_parse_intel_flags [function] [call site] 00096
8 oc_parse_intel_flags [function] [call site] 00097
8 oc_parse_amd_flags [function] [call site] 00098
6 oc_state_frarray_init [function] [call site] 00099
7 calloc [call site] 00100
7 calloc [call site] 00101
7 calloc [call site] 00102
7 calloc [call site] 00103
7 oc_sb_create_plane_mapping [function] [call site] 00104
8 oc_sb_quad_top_left_frag [function] [call site] 00105
7 oc_mb_create_mapping [function] [call site] 00106
8 oc_mb_fill_ymapping [function] [call site] 00107
7 oc_state_border_init [function] [call site] 00108
6 oc_state_ref_bufs_init [function] [call site] 00109
7 oc_aligned_malloc [function] [call site] 00110
7 oc_aligned_free [function] [call site] 00111
7 oc_ycbcr_buffer_flip [function] [call site] 00112
6 oc_state_frarray_clear [function] [call site] 00113
5 oc_huff_trees_copy [function] [call site] 00114
6 oc_huff_tree_size [function] [call site] 00115
7 oc_huff_node_size [function] [call site] 00116
7 oc_huff_tree_size [function] [call site] 00117
5 oc_state_clear [function] [call site] 00118
6 oc_state_ref_bufs_clear [function] [call site] 00119
7 oc_aligned_free [function] [call site] 00120
6 oc_state_frarray_clear [function] [call site] 00121
5 oc_huff_trees_clear [function] [call site] 00122
5 oc_state_clear [function] [call site] 00123
5 oc_dequant_tables_init [function] [call site] 00124
6 memcmp [call site] 00125
5 oc_dec_accel_init_c [function] [call site] 00126
4 oc_aligned_free [function] [call site] 00127
3 th_setup_free [function] [call site] 00128
4 oc_setup_clear [function] [call site] 00129
2 bool fuzzing::datasource::Base::Get<bool>(unsigned long) [function] [call site] 00130
2 TheoraDecoder::decodePacket() [function] [call site] 00131
3 fuzzing::datasource::Base::GetData(unsigned long, unsigned long, unsigned long) [function] [call site] 00132
3 th_decode_packetin [function] [call site] 00133
4 oc_pack_readinit [function] [call site] 00134
4 oc_dec_frame_header_unpack [function] [call site] 00135
5 oc_pack_read1_c [function] [call site] 00136
5 oc_pack_read1_c [function] [call site] 00137
5 oc_pack_read_c [function] [call site] 00138
5 oc_pack_read1_c [function] [call site] 00139
5 oc_pack_read_c [function] [call site] 00140
5 oc_pack_read1_c [function] [call site] 00141
5 oc_pack_read_c [function] [call site] 00142
5 oc_pack_read_c [function] [call site] 00143
4 oc_dec_mark_all_intra [function] [call site] 00144
4 oc_dec_coded_flags_unpack [function] [call site] 00145
5 oc_dec_partial_sb_flags_unpack [function] [call site] 00146
6 oc_pack_read1_c [function] [call site] 00147
6 oc_sb_run_unpack [function] [call site] 00148
7 oc_huff_token_decode_c [function] [call site] 00149
7 oc_pack_read_c [function] [call site] 00150
6 oc_pack_read1_c [function] [call site] 00151
5 oc_dec_coded_sb_flags_unpack [function] [call site] 00152
6 oc_pack_read1_c [function] [call site] 00153
6 oc_sb_run_unpack [function] [call site] 00154
6 oc_pack_read1_c [function] [call site] 00155
5 oc_pack_read1_c [function] [call site] 00156
5 oc_block_run_unpack [function] [call site] 00157
6 oc_huff_token_decode_c [function] [call site] 00158
4 oc_dec_init_dummy_frame [function] [call site] 00159
4 oc_dec_mb_modes_unpack [function] [call site] 00160
5 oc_pack_read_c [function] [call site] 00161
5 oc_pack_read_c [function] [call site] 00162
5 oc_huff_token_decode_c [function] [call site] 00163
4 oc_dec_mv_unpack_and_frag_modes_fill [function] [call site] 00164
5 oc_pack_read1_c [function] [call site] 00165
5 oc_mv_unpack [function] [call site] 00166
6 oc_huff_token_decode_c [function] [call site] 00167
6 oc_huff_token_decode_c [function] [call site] 00168
5 oc_mv_unpack [function] [call site] 00169
5 oc_mv_unpack [function] [call site] 00170
4 oc_dec_block_qis_unpack [function] [call site] 00171
5 oc_pack_read1_c [function] [call site] 00172
5 oc_sb_run_unpack [function] [call site] 00173
5 oc_pack_read1_c [function] [call site] 00174
5 oc_pack_read1_c [function] [call site] 00175
5 oc_sb_run_unpack [function] [call site] 00176
5 oc_pack_read1_c [function] [call site] 00177
4 oc_dec_residual_tokens_unpack [function] [call site] 00178
5 oc_pack_read_c [function] [call site] 00179
5 oc_pack_read_c [function] [call site] 00180
5 oc_dec_dc_coeff_unpack [function] [call site] 00181
6 oc_huff_token_decode_c [function] [call site] 00182
6 oc_pack_read_c [function] [call site] 00183
5 oc_pack_read_c [function] [call site] 00184
5 oc_pack_read_c [function] [call site] 00185
5 oc_dec_ac_coeff_unpack [function] [call site] 00186
6 oc_huff_token_decode_c [function] [call site] 00187
6 oc_pack_read_c [function] [call site] 00188
4 oc_dec_pipeline_init [function] [call site] 00189
5 oc_loop_filter_init_mmxext [function] [call site] 00190
5 oc_dec_postprocess_init [function] [call site] 00191
6 oc_restore_fpu_mmx [function] [call site] 00192
6 oc_ycbcr_buffer_flip [function] [call site] 00193
4 oc_ycbcr_buffer_flip [function] [call site] 00194
4 oc_dec_dc_unpredict_mcu_plane_c [function] [call site] 00195
4 oc_dec_frags_recon_mcu_plane [function] [call site] 00196
5 oc_state_frag_recon_mmx [function] [call site] 00197
6 oc_idct8x8_sse2 [function] [call site] 00198
7 oc_idct8x8_10_sse2 [function] [call site] 00199
7 oc_idct8x8_slow_sse2 [function] [call site] 00200
6 oc_frag_recon_intra_mmx [function] [call site] 00201
6 oc_state_get_mv_offsets [function] [call site] 00202
6 oc_frag_recon_inter2_mmx [function] [call site] 00203
6 oc_frag_recon_inter_mmx [function] [call site] 00204
5 oc_frag_copy_list_mmx [function] [call site] 00205
4 oc_state_loop_filter_frag_rows_mmxext [function] [call site] 00206
4 oc_state_borders_fill_rows [function] [call site] 00207
4 oc_dec_deblock_frag_rows [function] [call site] 00208
5 oc_filter_hedge [function] [call site] 00209
5 oc_filter_hedge [function] [call site] 00210
5 oc_filter_vedge [function] [call site] 00211
5 oc_filter_vedge [function] [call site] 00212
4 oc_dec_dering_frag_rows [function] [call site] 00213
5 oc_dering_block [function] [call site] 00214
5 oc_dering_block [function] [call site] 00215
5 oc_dering_block [function] [call site] 00216
5 oc_dering_block [function] [call site] 00217
5 oc_dering_block [function] [call site] 00218
4 oc_restore_fpu_mmx [function] [call site] 00219
4 oc_state_borders_fill_caps [function] [call site] 00220
4 oc_restore_fpu_mmx [function] [call site] 00221
3 void fuzzing::memory::memory_test<long>(long const&) [function] [call site] 00222
3 th_decode_ycbcr_out [function] [call site] 00223
4 oc_ycbcr_buffer_flip [function] [call site] 00224
3 TheoraDecoder::writeImage(th_img_plane const (&) [3]) const [function] [call site] 00225
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00226
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00227
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00228
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00229
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00230
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00231
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00232
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00233
4 fuzzing::memory::memory_test(void const*, unsigned long) [function] [call site] 00234
2 __cxa_begin_catch [call site] 00235
2 __cxa_end_catch [call site] 00236
1 TheoraDecoder::~TheoraDecoder() [function] [call site] 00237
2 th_info_clear [function] [call site] 00238
2 th_comment_clear [function] [call site] 00239
2 th_decode_free [function] [call site] 00240
3 oc_dec_clear [function] [call site] 00241
4 oc_huff_trees_clear [function] [call site] 00242
4 oc_state_clear [function] [call site] 00243
3 oc_aligned_free [function] [call site] 00244
2 th_setup_free [function] [call site] 00245
2 __clang_call_terminate [call site] 00246
3 __cxa_begin_catch [call site] 00247
1 fuzzing::datasource::Datasource::~Datasource() [function] [call site] 00248
2 fuzzing::datasource::Base::~Base() [function] [call site] 00249