FFmpeg
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
target_dec_fuzzer.c
Go to the documentation of this file.
1 /*
2  * This file is part of FFmpeg.
3  *
4  * FFmpeg is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * FFmpeg is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with FFmpeg; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17  */
18 
19 /* Targeted fuzzer that targets specific codecs depending on two
20  compile-time flags.
21  INSTRUCTIONS:
22 
23  * Get the very fresh clang, e.g. see http://libfuzzer.info#versions
24  * Get and build libFuzzer:
25  svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
26  ./Fuzzer/build.sh
27  * build ffmpeg for fuzzing:
28  FLAGS="-fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp -g" CC="clang $FLAGS" CXX="clang++ $FLAGS" ./configure --disable-x86asm
29  make clean && make -j
30  * build the fuzz target.
31  Choose the value of FFMPEG_CODEC (e.g. AV_CODEC_ID_DVD_SUBTITLE) and
32  choose one of FUZZ_FFMPEG_VIDEO, FUZZ_FFMPEG_AUDIO, FUZZ_FFMPEG_SUBTITLE.
33  clang -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp tools/target_dec_fuzzer.c -o target_dec_fuzzer -I. -DFFMPEG_CODEC=AV_CODEC_ID_MPEG1VIDEO -DFUZZ_FFMPEG_VIDEO ../../libfuzzer/libFuzzer.a -Llibavcodec -Llibavdevice -Llibavfilter -Llibavformat -Llibavresample -Llibavutil -Llibpostproc -Llibswscale -Llibswresample -Wl,--as-needed -Wl,-z,noexecstack -Wl,--warn-common -Wl,-rpath-link=libpostproc:libswresample:libswscale:libavfilter:libavdevice:libavformat:libavcodec:libavutil:libavresample -lavdevice -lavfilter -lavformat -lavcodec -lswresample -lswscale -lavutil -ldl -lxcb -lxcb-shm -lxcb -lxcb-xfixes -lxcb -lxcb-shape -lxcb -lX11 -lasound -lm -lbz2 -lz -pthread
34  * create a corpus directory and put some samples there (empty dir is ok too):
35  mkdir CORPUS && cp some-files CORPUS
36 
37  * Run fuzzing:
38  ./target_dec_fuzzer -max_len=100000 CORPUS
39 
40  More info:
41  http://libfuzzer.info
42  http://tutorial.libfuzzer.info
43  https://github.com/google/oss-fuzz
44  http://lcamtuf.coredump.cx/afl/
45  https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html
46 */
47 
48 #include "config.h"
49 #include "libavutil/avassert.h"
50 #include "libavutil/imgutils.h"
51 #include "libavutil/intreadwrite.h"
52 
53 #include "libavcodec/avcodec.h"
54 #include "libavcodec/bytestream.h"
55 #include "libavformat/avformat.h"
56 
57 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
58 
60  NULL,
61  NULL
62 };
63 
64 static void error(const char *err)
65 {
66  fprintf(stderr, "%s", err);
67  exit(1);
68 }
69 
70 static AVCodec *c = NULL;
72 {
73  AVCodec *res;
74 
75  res = avcodec_find_decoder(codec_id);
76  if (!res)
77  error("Failed to find decoder");
78  return res;
79 }
80 
81 static int subtitle_handler(AVCodecContext *avctx, void *frame,
82  int *got_sub_ptr, AVPacket *avpkt)
83 {
84  AVSubtitle sub;
85  int ret = avcodec_decode_subtitle2(avctx, &sub, got_sub_ptr, avpkt);
86  if (ret >= 0 && *got_sub_ptr)
87  avsubtitle_free(&sub);
88  return ret;
89 }
90 
91 // Class to handle buffer allocation and resize for each frame
92 typedef struct FuzzDataBuffer {
93  size_t size_;
96 
97 static void FDBCreate(FuzzDataBuffer *FDB) {
98  FDB->size_ = 0x1000;
99  FDB->data_ = av_malloc(FDB->size_);
100  if (!FDB->data_)
101  error("Failed memory allocation");
102 }
103 
104 static void FDBDesroy(FuzzDataBuffer *FDB) { av_free(FDB->data_); }
105 
106 static void FDBRealloc(FuzzDataBuffer *FDB, size_t size) {
107  size_t needed = size + AV_INPUT_BUFFER_PADDING_SIZE;
108  av_assert0(needed > size);
109  if (needed > FDB->size_) {
110  av_free(FDB->data_);
111  FDB->size_ = needed;
112  FDB->data_ = av_malloc(FDB->size_);
113  if (!FDB->data_)
114  error("Failed memory allocation");
115  }
116 }
117 
118 static void FDBPrepare(FuzzDataBuffer *FDB, AVPacket *dst, const uint8_t *data,
119  size_t size)
120 {
121  FDBRealloc(FDB, size);
122  memcpy(FDB->data_, data, size);
123  size_t padd = FDB->size_ - size;
124  if (padd > AV_INPUT_BUFFER_PADDING_SIZE)
126  memset(FDB->data_ + size, 0, padd);
127  av_init_packet(dst);
128  dst->data = FDB->data_;
129  dst->size = size;
130 }
131 
132 // Ensure we don't loop forever
133 const uint32_t maxiteration = 8096;
134 
135 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
136 
138  const uint64_t fuzz_tag = FUZZ_TAG;
140  const uint8_t *last = data;
141  const uint8_t *end = data + size;
142  uint32_t it = 0;
143  int (*decode_handler)(AVCodecContext *avctx, AVFrame *picture,
144  int *got_picture_ptr,
145  const AVPacket *avpkt) = NULL;
146 
147  if (!c) {
148 #ifdef FFMPEG_DECODER
149 #define DECODER_SYMBOL0(CODEC) ff_##CODEC##_decoder
150 #define DECODER_SYMBOL(CODEC) DECODER_SYMBOL0(CODEC)
151  extern AVCodec DECODER_SYMBOL(FFMPEG_DECODER);
152  codec_list[0] = &DECODER_SYMBOL(FFMPEG_DECODER);
153  avcodec_register(&DECODER_SYMBOL(FFMPEG_DECODER));
154 
155  c = &DECODER_SYMBOL(FFMPEG_DECODER);
156 #else
158  c = AVCodecInitialize(FFMPEG_CODEC); // Done once.
159 #endif
161  }
162 
163  switch (c->type) {
164  case AVMEDIA_TYPE_AUDIO : decode_handler = avcodec_decode_audio4; break;
165  case AVMEDIA_TYPE_VIDEO : decode_handler = avcodec_decode_video2; break;
166  case AVMEDIA_TYPE_SUBTITLE: decode_handler = subtitle_handler ; break;
167  }
168 
170  if (!ctx)
171  error("Failed memory allocation");
172 
173  ctx->max_pixels = 4096 * 4096; //To reduce false positive OOM and hangs
174 
175  if (size > 1024) {
176  GetByteContext gbc;
177  bytestream2_init(&gbc, data + size - 1024, 1024);
178  ctx->width = bytestream2_get_le32(&gbc);
179  ctx->height = bytestream2_get_le32(&gbc);
180  ctx->bit_rate = bytestream2_get_le64(&gbc);
181  ctx->bits_per_coded_sample = bytestream2_get_le32(&gbc);
182  if (av_image_check_size(ctx->width, ctx->height, 0, ctx))
183  ctx->width = ctx->height = 0;
184  size -= 1024;
185  }
186 
187  int res = avcodec_open2(ctx, c, NULL);
188  if (res < 0) {
189  av_free(ctx);
190  return 0; // Failure of avcodec_open2() does not imply that a issue was found
191  }
192 
193  FDBCreate(&buffer);
194  int got_frame;
196  if (!frame)
197  error("Failed memory allocation");
198 
199  // Read very simple container
200  AVPacket avpkt;
201  while (data < end && it < maxiteration) {
202  // Search for the TAG
203  while (data + sizeof(fuzz_tag) < end) {
204  if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
205  break;
206  data++;
207  }
208  if (data + sizeof(fuzz_tag) > end)
209  data = end;
210 
211  FDBPrepare(&buffer, &avpkt, last, data - last);
212  data += sizeof(fuzz_tag);
213  last = data;
214 
215  // Iterate through all data
216  while (avpkt.size > 0 && it++ < maxiteration) {
217  av_frame_unref(frame);
218  int ret = decode_handler(ctx, frame, &got_frame, &avpkt);
219 
220  if (it > 20)
221  ctx->error_concealment = 0;
222 
223  if (ret <= 0 || ret > avpkt.size)
224  break;
225  if (ctx->codec_type != AVMEDIA_TYPE_AUDIO)
226  ret = avpkt.size;
227  avpkt.data += ret;
228  avpkt.size -= ret;
229  }
230  }
231 
232  av_init_packet(&avpkt);
233  avpkt.data = NULL;
234  avpkt.size = 0;
235 
236  do {
237  got_frame = 0;
238  decode_handler(ctx, frame, &got_frame, &avpkt);
239  } while (got_frame == 1 && it++ < maxiteration);
240 
241  av_frame_free(&frame);
242  avcodec_free_context(&ctx);
243  av_freep(&ctx);
244  FDBDesroy(&buffer);
245  return 0;
246 }
const uint32_t maxiteration
#define NULL
Definition: coverity.c:32
This structure describes decoded (raw) audio or video data.
Definition: frame.h:218
ptrdiff_t const GLvoid * data
Definition: opengl_enc.c:101
misc image utilities
int64_t bit_rate
the average bitrate
Definition: avcodec.h:1568
void av_log_set_level(int level)
Set the log level.
Definition: log.c:385
int size
Definition: avcodec.h:1431
static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t *buf, int buf_size)
Definition: bytestream.h:133
attribute_deprecated int avcodec_decode_audio4(AVCodecContext *avctx, AVFrame *frame, int *got_frame_ptr, const AVPacket *avpkt)
Decode the audio frame of size avpkt->size from avpkt->data into frame.
Definition: decode.c:833
enum AVMediaType type
Definition: avcodec.h:3421
static void FDBCreate(FuzzDataBuffer *FDB)
int avcodec_decode_subtitle2(AVCodecContext *avctx, AVSubtitle *sub, int *got_sub_ptr, AVPacket *avpkt)
Decode a subtitle message.
Definition: decode.c:998
AVCodec.
Definition: avcodec.h:3408
#define av_assert0(cond)
assert() equivalent, that is always enabled.
Definition: avassert.h:37
uint8_t
#define av_malloc(s)
AVFrame * av_frame_alloc(void)
Allocate an AVFrame and set its fields to default values.
Definition: frame.c:189
#define AV_LOG_PANIC
Something went really wrong and we will crash now.
Definition: log.h:163
static av_cold int end(AVCodecContext *avctx)
Definition: avrndec.c:90
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
static AVFrame * frame
uint8_t * data
Definition: avcodec.h:1430
av_cold void avcodec_register(AVCodec *codec)
Register the codec codec and initialize libavcodec.
Definition: allcodecs.c:809
ptrdiff_t size
Definition: opengl_enc.c:101
int bits_per_coded_sample
bits per sample/pixel from the demuxer (needed for huffyuv).
Definition: avcodec.h:2734
void avcodec_register_all(void)
Register all the codecs, parsers and bitstream filters which were enabled at configuration time...
Definition: allcodecs.c:824
static AVCodec * c
static const uint64_t FUZZ_TAG
AVCodecID
Identify the syntax and semantics of the bitstream.
Definition: avcodec.h:215
void av_frame_free(AVFrame **frame)
Free the frame and any dynamically allocated objects in it, e.g.
Definition: frame.c:202
int error_concealment
error concealment flags
Definition: avcodec.h:2588
simple assert() macros that are a bit more flexible than ISO C assert().
int64_t max_pixels
The number of pixels per image to maximally accept.
Definition: avcodec.h:3227
int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx)
Check if the given dimension of an image is valid, meaning that all bytes of the image can be address...
Definition: imgutils.c:282
AVCodecContext * avcodec_alloc_context3(const AVCodec *codec)
Allocate an AVCodecContext and set its fields to default values.
Definition: options.c:156
static AVCodec * AVCodecInitialize(enum AVCodecID codec_id)
int width
picture width / height.
Definition: avcodec.h:1690
AVFormatContext * ctx
Definition: movenc.c:48
enum AVCodecID codec_id
Definition: vaapi_decode.c:362
static void error(const char *err)
static int subtitle_handler(AVCodecContext *avctx, void *frame, int *got_sub_ptr, AVPacket *avpkt)
Libavcodec external API header.
enum AVMediaType codec_type
Definition: avcodec.h:1526
attribute_deprecated int avcodec_decode_video2(AVCodecContext *avctx, AVFrame *picture, int *got_picture_ptr, const AVPacket *avpkt)
Decode the video frame of size avpkt->size from avpkt->data into picture.
Definition: decode.c:826
void avcodec_free_context(AVCodecContext **avctx)
Free the codec context and everything associated with it and write NULL to the provided pointer...
Definition: options.c:171
main external API structure.
Definition: avcodec.h:1518
AVCodec * avcodec_find_decoder(enum AVCodecID id)
Find a registered decoder with a matching codec ID.
Definition: allcodecs.c:866
void avsubtitle_free(AVSubtitle *sub)
Free all allocated data in the given subtitle struct.
Definition: utils.c:1042
int avcodec_open2(AVCodecContext *avctx, const AVCodec *codec, AVDictionary **options)
Initialize the AVCodecContext to use the given AVCodec.
Definition: utils.c:538
static void FDBPrepare(FuzzDataBuffer *FDB, AVPacket *dst, const uint8_t *data, size_t size)
void av_frame_unref(AVFrame *frame)
Unreference all the buffers referenced by frame and reset the frame fields.
Definition: frame.c:551
Main libavformat public API header.
int
void av_init_packet(AVPacket *pkt)
Initialize optional fields of a packet with default values.
Definition: avpacket.c:33
#define AV_INPUT_BUFFER_PADDING_SIZE
Required number of additionally allocated bytes at the end of the input bitstream for decoding...
Definition: avcodec.h:773
#define av_free(p)
#define AV_RN64(p)
Definition: intreadwrite.h:368
#define av_freep(p)
static void FDBDesroy(FuzzDataBuffer *FDB)
static void FDBRealloc(FuzzDataBuffer *FDB, size_t size)
This structure stores compressed data.
Definition: avcodec.h:1407
GLuint buffer
Definition: opengl_enc.c:102
AVCodec * codec_list[]