[FFmpeg-devel] [RFC] Fuzzer results and bugfixes

Jason Garrett-Glaser darkshikari
Sat Mar 6 01:30:50 CET 2010 

All,

I wrote a rather simple fuzzer and started running it on ffmpeg using
various input files.  I've found about 6 crashes so far (some appear
to be possibly exploitable); I suspect to find a lot more as I try
more types of input files.  Here's my tentative plan:

1.  Start a roundup thread specifically for this fuzzer (only one bug
report rather than a massive spam).
2.  Offer the same bugfix rewards as usual for fixing crashes reported
in this thread by the fuzzer (duplicate crashes caused by the same bug
are obviously not counted).
3.  Because I have a very slow upload and most input files have
multiple crashes, each sample will be only uploaded once: instead, the
random seed used to generate the fuzz test failure will be posted.
For example:

IronMan.mkv 140

means that IronMan.mkv, fuzzed with seed 140, caused a crash in decoding.

Using the fuzzer is trivial and much faster than waiting for my upload:

./fuzzer input output seed

Is this a good idea?  I think it would be the most convenient for
dealing with fuzzer-found crash bugs.  Furthermore, it would easily
allow others to report new fuzzer-found crash bugs in a central
location without scaring the crap out of everyone with hundreds of bug
reports.

Attached is fuzzer.c: here's my script for fuzzing:

gcc -Wall -O3 fuzzer.c -o fuzzer
rm failures.txt
for a in $(seq 1000)
do echo $a >> failures.txt
./fuzzer IronMan.mkv input.mkv $a
export a
bash -c 'ffmpeg -y -i input.mkv output.avi >> log.txt 2>&1' 2>> failures.txt
done

This will output the ffmpeg log to "log.txt" and the failures to
"failures.txt".  The failures.txt file will look something like this:

173
174
175
bash: line 1:  2390 Segmentation fault      ffmpeg -y -i input.mkv
output.avi >> log.txt 2>&1

This means that seed 175 caused a crash, which can be replicated
trivially by hand.

Thoughts on all this?

Dark Shikari
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fuzzer.c
Type: text/x-c
Size: 1851 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20100305/d8cbc6bd/attachment.bin>

More information about the ffmpeg-devel mailing list