FFmpeg
target_bsf_fuzzer.c
Go to the documentation of this file.
1 /*
2  * This file is part of FFmpeg.
3  *
4  * FFmpeg is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * FFmpeg is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with FFmpeg; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17  */
18 
19 #include "config.h"
20 #include "libavutil/imgutils.h"
21 #include "libavutil/opt.h"
22 
23 #include "libavcodec/avcodec.h"
24 #include "libavcodec/bsf.h"
26 #include "libavcodec/bytestream.h"
27 #include "libavcodec/internal.h"
28 
29 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
30 
31 static void error(const char *err)
32 {
33  fprintf(stderr, "%s", err);
34  exit(1);
35 }
36 
37 static const AVBitStreamFilter *f = NULL;
38 
39 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
40 
41 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
42  const uint64_t fuzz_tag = FUZZ_TAG;
43  const uint8_t *last = data;
44  const uint8_t *end = data + size;
45  AVBSFContext *bsf = NULL;
46  AVPacket *pkt;
47  uint64_t keyframes = 0;
48  uint64_t flushpattern = -1;
49  int res;
50 
51  if (!f) {
52 #ifdef FFMPEG_BSF
53 #define BSF_SYMBOL0(BSF) ff_##BSF##_bsf
54 #define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)
55  extern const AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);
56  f = &BSF_SYMBOL(FFMPEG_BSF);
57 #endif
59  }
60 
61  res = f ? av_bsf_alloc(f, &bsf) : av_bsf_get_null_filter(&bsf);
62  if (res < 0)
63  error("Failed memory allocation");
64  f = bsf->filter;
65 
66  if (size > 1024) {
67  GetByteContext gbc;
68  int extradata_size;
69  int flags;
70  size -= 1024;
71  bytestream2_init(&gbc, data + size, 1024);
72  bsf->par_in->width = bytestream2_get_le32(&gbc);
73  bsf->par_in->height = bytestream2_get_le32(&gbc);
74  bsf->par_in->bit_rate = bytestream2_get_le64(&gbc);
75  bsf->par_in->bits_per_coded_sample = bytestream2_get_le32(&gbc);
76 
77  if (f->codec_ids) {
78  int i, id;
79  for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);
80  id = f->codec_ids[bytestream2_get_byte(&gbc) % i];
81  bsf->par_in->codec_id = id;
82  bsf->par_in->codec_tag = bytestream2_get_le32(&gbc);
83  }
84 
85  extradata_size = bytestream2_get_le32(&gbc);
86 
87  bsf->par_in->sample_rate = bytestream2_get_le32(&gbc);
88  bsf->par_in->ch_layout.nb_channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;
89  bsf->par_in->block_align = bytestream2_get_le32(&gbc);
90  keyframes = bytestream2_get_le64(&gbc);
91  flushpattern = bytestream2_get_le64(&gbc);
92  flags = bytestream2_get_byte(&gbc);
93 
94  if (flags & 0x20) {
95  if (!strcmp(f->name, "av1_metadata"))
96  av_opt_set_int(bsf->priv_data, "td", bytestream2_get_byte(&gbc) % 3, 0);
97  else if (!strcmp(f->name, "h264_metadata") || !strcmp(f->name, "hevc_metadata") ||
98  !strcmp(f->name, "vvc_metadata"))
99  av_opt_set_int(bsf->priv_data, "aud", bytestream2_get_byte(&gbc) % 3, 0);
100  else if (!strcmp(f->name, "extract_extradata"))
101  av_opt_set_int(bsf->priv_data, "remove", bytestream2_get_byte(&gbc) & 1, 0);
102  }
103 
104  if (extradata_size < size) {
105  bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
106  if (bsf->par_in->extradata) {
107  bsf->par_in->extradata_size = extradata_size;
108  size -= bsf->par_in->extradata_size;
109  memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);
110  }
111  }
112  if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))
113  bsf->par_in->width = bsf->par_in->height = 0;
114  }
115 
116  res = av_bsf_init(bsf);
117  if (res < 0) {
118  av_bsf_free(&bsf);
119  return 0; // Failure of av_bsf_init() does not imply that a issue was found
120  }
121 
122  pkt = av_packet_alloc();
123  if (!pkt)
124  error("Failed memory allocation");
125 
126  while (data < end) {
127  // Search for the TAG
128  while (data + sizeof(fuzz_tag) < end) {
129  if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
130  break;
131  data++;
132  }
133  if (data + sizeof(fuzz_tag) > end)
134  data = end;
135 
136  res = av_new_packet(pkt, data - last);
137  if (res < 0)
138  error("Failed memory allocation");
139  memcpy(pkt->data, last, data - last);
140  pkt->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
141  keyframes = (keyframes >> 2) + (keyframes<<62);
142  data += sizeof(fuzz_tag);
143  last = data;
144 
145  if (!(flushpattern & 7))
146  av_bsf_flush(bsf);
147  flushpattern = (flushpattern >> 3) + (flushpattern << 61);
148 
149  res = av_bsf_send_packet(bsf, pkt);
150  if (res < 0) {
152  continue;
153  }
154  while (av_bsf_receive_packet(bsf, pkt) >= 0)
156  }
157 
158  av_bsf_send_packet(bsf, NULL);
159  while (av_bsf_receive_packet(bsf, pkt) >= 0)
161 
163  av_bsf_free(&bsf);
164  return 0;
165 }
error
static void error(const char *err)
Definition: target_bsf_fuzzer.c:31
av_packet_unref
void av_packet_unref(AVPacket *pkt)
Wipe the packet.
Definition: avpacket.c:423
AVBSFContext::par_in
AVCodecParameters * par_in
Parameters of the input stream.
Definition: bsf.h:90
AVCodecParameters::extradata
uint8_t * extradata
Extra binary data needed for initializing the decoder, codec-dependent.
Definition: codec_par.h:69
bsf_internal.h
opt.h
GetByteContext
Definition: bytestream.h:33
AV_LOG_PANIC
#define AV_LOG_PANIC
Something went really wrong and we will crash now.
Definition: log.h:167
AV_PKT_FLAG_DISCARD
#define AV_PKT_FLAG_DISCARD
Flag is used to discard packets which are required to maintain valid decoder state but are not requir...
Definition: packet.h:553
AVBitStreamFilter::name
const char * name
Definition: bsf.h:112
AV_RN64
#define AV_RN64(p)
Definition: intreadwrite.h:366
internal.h
AVPacket::data
uint8_t * data
Definition: packet.h:491
data
const char data[16]
Definition: mxf.c:148
AVCodecParameters::codec_tag
uint32_t codec_tag
Additional information about the codec (corresponds to the AVI FOURCC).
Definition: codec_par.h:59
AVChannelLayout::nb_channels
int nb_channels
Number of channels in this layout.
Definition: channel_layout.h:317
av_bsf_free
void av_bsf_free(AVBSFContext **pctx)
Free a bitstream filter context and everything associated with it; write NULL into the supplied point...
Definition: bsf.c:52
AV_PKT_FLAG_KEY
#define AV_PKT_FLAG_KEY
The packet contains a keyframe.
Definition: packet.h:546
av_packet_free
void av_packet_free(AVPacket **pkt)
Free the packet, if the packet is reference counted, it will be unreferenced first.
Definition: avpacket.c:74
AVBSFContext
The bitstream filter state.
Definition: bsf.h:68
bsf.h
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: target_bsf_fuzzer.c:41
pkt
AVPacket * pkt
Definition: movenc.c:59
av_new_packet
int av_new_packet(AVPacket *pkt, int size)
Allocate the payload of a packet and initialize its fields with default values.
Definition: avpacket.c:98
av_bsf_flush
void av_bsf_flush(AVBSFContext *ctx)
Reset the internal bitstream filter state.
Definition: bsf.c:190
AVCodecParameters::width
int width
Video only.
Definition: codec_par.h:121
FUZZ_TAG
static const uint64_t FUZZ_TAG
Definition: target_bsf_fuzzer.c:39
f
static const AVBitStreamFilter * f
Definition: target_bsf_fuzzer.c:37
av_bsf_alloc
int av_bsf_alloc(const AVBitStreamFilter *filter, AVBSFContext **pctx)
Allocate a context for a given bitstream filter.
Definition: bsf.c:104
AVBitStreamFilter::codec_ids
enum AVCodecID * codec_ids
A list of codec ids supported by the filter, terminated by AV_CODEC_ID_NONE.
Definition: bsf.h:119
av_bsf_init
int av_bsf_init(AVBSFContext *ctx)
Prepare the filter for use, after all the parameters and options have been set.
Definition: bsf.c:149
NULL
#define NULL
Definition: coverity.c:32
av_bsf_receive_packet
int av_bsf_receive_packet(AVBSFContext *ctx, AVPacket *pkt)
Retrieve a filtered packet.
Definition: bsf.c:230
AVCodecParameters::ch_layout
AVChannelLayout ch_layout
Audio only.
Definition: codec_par.h:206
AVCodecParameters::sample_rate
int sample_rate
Audio only.
Definition: codec_par.h:171
av_opt_set_int
int av_opt_set_int(void *obj, const char *name, int64_t val, int search_flags)
Definition: opt.c:624
AVCodecParameters::extradata_size
int extradata_size
Size of the extradata content in bytes.
Definition: codec_par.h:73
av_bsf_send_packet
int av_bsf_send_packet(AVBSFContext *ctx, AVPacket *pkt)
Submit a packet for filtering.
Definition: bsf.c:202
size
int size
Definition: twinvq_data.h:10344
AVPacket::flags
int flags
A combination of AV_PKT_FLAG values.
Definition: packet.h:497
av_packet_alloc
AVPacket * av_packet_alloc(void)
Allocate an AVPacket and set its fields to default values.
Definition: avpacket.c:63
av_log_set_level
void av_log_set_level(int level)
Set the log level.
Definition: log.c:442
AV_CODEC_ID_NONE
@ AV_CODEC_ID_NONE
Definition: codec_id.h:50
i
#define i(width, name, range_min, range_max)
Definition: cbs_h2645.c:255
AVCodecParameters::height
int height
Definition: codec_par.h:122
AVCodecParameters::block_align
int block_align
Audio only.
Definition: codec_par.h:178
av_mallocz
void * av_mallocz(size_t size)
Allocate a memory block with alignment suitable for all memory accesses (including vectors if availab...
Definition: mem.c:254
avcodec.h
AVBSFContext::priv_data
void * priv_data
Opaque filter-specific private data.
Definition: bsf.h:83
av_bsf_get_null_filter
int av_bsf_get_null_filter(AVBSFContext **bsf)
Get null/pass-through bitstream filter.
Definition: bsf.c:553
AV_INPUT_BUFFER_PADDING_SIZE
#define AV_INPUT_BUFFER_PADDING_SIZE
Definition: defs.h:40
id
enum AVCodecID id
Definition: dts2pts_bsf.c:364
AVBitStreamFilter
Definition: bsf.h:111
AVBSFContext::filter
const struct AVBitStreamFilter * filter
The bitstream filter this context is an instance of.
Definition: bsf.h:77
AVCodecParameters::bits_per_coded_sample
int bits_per_coded_sample
The number of bits per sample in the codedwords.
Definition: codec_par.h:97
AVCodecParameters::codec_id
enum AVCodecID codec_id
Specific type of the encoded data (the codec used).
Definition: codec_par.h:55
AVPacket
This structure stores compressed data.
Definition: packet.h:468
bytestream.h
imgutils.h
bytestream2_init
static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t *buf, int buf_size)
Definition: bytestream.h:137
flags
#define flags(name, subs,...)
Definition: cbs_av1.c:474
AVCodecParameters::bit_rate
int64_t bit_rate
The average bitrate of the encoded data (in bits per second).
Definition: codec_par.h:84
av_image_check_size
int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx)
Check if the given dimension of an image is valid, meaning that all bytes of the image can be address...
Definition: imgutils.c:318
FF_SANE_NB_CHANNELS
#define FF_SANE_NB_CHANNELS
Definition: internal.h:40