tools: add a fuzzer tool for bitstream filters
authorJames Almer <jamrial@gmail.com>
Sat, 30 Nov 2019 18:57:44 +0000 (15:57 -0300)
committerJames Almer <jamrial@gmail.com>
Thu, 5 Dec 2019 23:49:15 +0000 (20:49 -0300)
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
Makefile
doc/build_system.txt
tools/Makefile
tools/target_bsf_fuzzer.c [new file with mode: 0644]

index 532372c..b7ecea8 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -50,6 +50,9 @@ $(TOOLS): %$(EXESUF): %.o
 target_dec_%_fuzzer$(EXESUF): target_dec_%_fuzzer.o $(FF_DEP_LIBS)
        $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
 
+tools/target_bsf_%_fuzzer$(EXESUF): tools/target_bsf_%_fuzzer.o $(FF_DEP_LIBS)
+       $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
+
 tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS)
        $(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
 
index 3d6a21a..0b1b0c2 100644 (file)
@@ -48,6 +48,8 @@ config
 tools/target_dec_<decoder>_fuzzer
     Build fuzzer to fuzz the specified decoder.
 
+tools/target_bsf_<filter>_fuzzer
+    Build fuzzer to fuzz the specified bitstream filter.
 
 Useful standard make commands:
 make -t <target>
index 370ee35..0010931 100644 (file)
@@ -5,6 +5,9 @@ TOOLS-$(CONFIG_ZLIB) += cws2fws
 tools/target_dec_%_fuzzer.o: tools/target_dec_fuzzer.c
        $(COMPILE_C) -DFFMPEG_DECODER=$*
 
+tools/target_bsf_%_fuzzer.o: tools/target_bsf_fuzzer.c
+       $(COMPILE_C) -DFFMPEG_BSF=$*
+
 tools/target_dem_fuzzer.o: tools/target_dem_fuzzer.c
        $(COMPILE_C)
 
diff --git a/tools/target_bsf_fuzzer.c b/tools/target_bsf_fuzzer.c
new file mode 100644 (file)
index 0000000..f3e584f
--- /dev/null
@@ -0,0 +1,153 @@
+/*
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "config.h"
+#include "libavutil/imgutils.h"
+
+#include "libavcodec/avcodec.h"
+#include "libavcodec/bsf.h"
+#include "libavcodec/bytestream.h"
+#include "libavcodec/internal.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+static void error(const char *err)
+{
+    fprintf(stderr, "%s", err);
+    exit(1);
+}
+
+static AVBitStreamFilter *f = NULL;
+
+static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    const uint64_t fuzz_tag = FUZZ_TAG;
+    const uint8_t *last = data;
+    const uint8_t *end = data + size;
+    AVBSFContext *bsf = NULL;
+    AVPacket in, out;
+    uint64_t keyframes = 0;
+    int res;
+
+    if (!f) {
+#ifdef FFMPEG_BSF
+#define BSF_SYMBOL0(BSF) ff_##BSF##_bsf
+#define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)
+        extern AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);
+        f = &BSF_SYMBOL(FFMPEG_BSF);
+#else
+        extern AVBitStreamFilter ff_null_bsf;
+        f = &ff_null_bsf;
+#endif
+        av_log_set_level(AV_LOG_PANIC);
+    }
+
+    res = av_bsf_alloc(f, &bsf);
+    if (res < 0)
+        error("Failed memory allocation");
+
+    if (size > 1024) {
+        GetByteContext gbc;
+        int extradata_size;
+        size -= 1024;
+        bytestream2_init(&gbc, data + size, 1024);
+        bsf->par_in->width                      = bytestream2_get_le32(&gbc);
+        bsf->par_in->height                     = bytestream2_get_le32(&gbc);
+        bsf->par_in->bit_rate                   = bytestream2_get_le64(&gbc);
+        bsf->par_in->bits_per_coded_sample      = bytestream2_get_le32(&gbc);
+
+        if (f->codec_ids) {
+            int i, id;
+            for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);
+            id = f->codec_ids[bytestream2_get_byte(&gbc) % i];
+            bsf->par_in->codec_id = id;
+            bsf->par_in->codec_tag              = bytestream2_get_le32(&gbc);
+        }
+
+        extradata_size = bytestream2_get_le32(&gbc);
+
+        bsf->par_in->sample_rate                = bytestream2_get_le32(&gbc);
+        bsf->par_in->channels                   = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;
+        bsf->par_in->block_align                = bytestream2_get_le32(&gbc);
+        keyframes                               = bytestream2_get_le64(&gbc);
+
+        if (extradata_size < size) {
+            bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
+            if (bsf->par_in->extradata) {
+                bsf->par_in->extradata_size = extradata_size;
+                size -= bsf->par_in->extradata_size;
+                memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);
+            }
+        }
+        if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))
+            bsf->par_in->width = bsf->par_in->height = 0;
+    }
+
+    res = av_bsf_init(bsf);
+    if (res < 0) {
+        av_bsf_free(&bsf);
+        return 0; // Failure of av_bsf_init() does not imply that a issue was found
+    }
+
+    av_init_packet(&in);
+    av_init_packet(&out);
+    out.data = NULL;
+    out.size = 0;
+    while (data < end) {
+        // Search for the TAG
+        while (data + sizeof(fuzz_tag) < end) {
+            if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
+                break;
+            data++;
+        }
+        if (data + sizeof(fuzz_tag) > end)
+            data = end;
+
+        res = av_new_packet(&in, data - last);
+        if (res < 0)
+            error("Failed memory allocation");
+        memcpy(in.data, last, data - last);
+        in.flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
+        keyframes = (keyframes >> 2) + (keyframes<<62);
+        data += sizeof(fuzz_tag);
+        last = data;
+
+        while (in.size) {
+            res = av_bsf_send_packet(bsf, &in);
+            if (res < 0 && res != AVERROR(EAGAIN))
+                break;
+            res = av_bsf_receive_packet(bsf, &out);
+            if (res < 0)
+                break;
+            av_packet_unref(&out);
+        }
+        av_packet_unref(&in);
+    }
+
+    res = av_bsf_send_packet(bsf, NULL);
+    while (!res) {
+        res = av_bsf_receive_packet(bsf, &out);
+        if (res < 0)
+            break;
+        av_packet_unref(&out);
+    }
+
+    av_bsf_free(&bsf);
+    return 0;
+}