[FFmpeg-devel] [RFC] Fuzzer results and bugfixes
Sat Mar 6 01:30:50 CET 2010
I wrote a rather simple fuzzer and started running it on ffmpeg using
various input files. I've found about 6 crashes so far (some appear
to be possibly exploitable); I suspect to find a lot more as I try
more types of input files. Here's my tentative plan:
1. Start a roundup thread specifically for this fuzzer (only one bug
report rather than a massive spam).
2. Offer the same bugfix rewards as usual for fixing crashes reported
in this thread by the fuzzer (duplicate crashes caused by the same bug
are obviously not counted).
3. Because I have a very slow upload and most input files have
multiple crashes, each sample will be only uploaded once: instead, the
random seed used to generate the fuzz test failure will be posted.
means that IronMan.mkv, fuzzed with seed 140, caused a crash in decoding.
Using the fuzzer is trivial and much faster than waiting for my upload:
./fuzzer input output seed
Is this a good idea? I think it would be the most convenient for
dealing with fuzzer-found crash bugs. Furthermore, it would easily
allow others to report new fuzzer-found crash bugs in a central
location without scaring the crap out of everyone with hundreds of bug
Attached is fuzzer.c: here's my script for fuzzing:
gcc -Wall -O3 fuzzer.c -o fuzzer
for a in $(seq 1000)
do echo $a >> failures.txt
./fuzzer IronMan.mkv input.mkv $a
bash -c 'ffmpeg -y -i input.mkv output.avi >> log.txt 2>&1' 2>> failures.txt
This will output the ffmpeg log to "log.txt" and the failures to
"failures.txt". The failures.txt file will look something like this:
bash: line 1: 2390 Segmentation fault ffmpeg -y -i input.mkv
output.avi >> log.txt 2>&1
This means that seed 175 caused a crash, which can be replicated
trivially by hand.
Thoughts on all this?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1851 bytes
Desc: not available
More information about the ffmpeg-devel