FFmpeg
target_bsf_fuzzer.c
Go to the documentation of this file.
1 /*
2  * This file is part of FFmpeg.
3  *
4  * FFmpeg is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * FFmpeg is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with FFmpeg; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17  */
18 
19 #include "config.h"
20 #include "libavutil/imgutils.h"
21 
22 #include "libavcodec/avcodec.h"
23 #include "libavcodec/bsf.h"
24 #include "libavcodec/bytestream.h"
25 #include "libavcodec/internal.h"
26 
27 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
28 
29 static void error(const char *err)
30 {
31  fprintf(stderr, "%s", err);
32  exit(1);
33 }
34 
35 static AVBitStreamFilter *f = NULL;
36 
37 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
38 
39 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
40  const uint64_t fuzz_tag = FUZZ_TAG;
41  const uint8_t *last = data;
42  const uint8_t *end = data + size;
43  AVBSFContext *bsf = NULL;
44  AVPacket in, out;
45  uint64_t keyframes = 0;
46  int res;
47 
48  if (!f) {
49 #ifdef FFMPEG_BSF
50 #define BSF_SYMBOL0(BSF) ff_##BSF##_bsf
51 #define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)
52  extern AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);
53  f = &BSF_SYMBOL(FFMPEG_BSF);
54 #else
55  extern AVBitStreamFilter ff_null_bsf;
56  f = &ff_null_bsf;
57 #endif
58  av_log_set_level(AV_LOG_PANIC);
59  }
60 
61  res = av_bsf_alloc(f, &bsf);
62  if (res < 0)
63  error("Failed memory allocation");
64 
65  if (size > 1024) {
66  GetByteContext gbc;
67  int extradata_size;
68  size -= 1024;
69  bytestream2_init(&gbc, data + size, 1024);
70  bsf->par_in->width = bytestream2_get_le32(&gbc);
71  bsf->par_in->height = bytestream2_get_le32(&gbc);
72  bsf->par_in->bit_rate = bytestream2_get_le64(&gbc);
73  bsf->par_in->bits_per_coded_sample = bytestream2_get_le32(&gbc);
74 
75  if (f->codec_ids) {
76  int i, id;
77  for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);
78  id = f->codec_ids[bytestream2_get_byte(&gbc) % i];
79  bsf->par_in->codec_id = id;
80  bsf->par_in->codec_tag = bytestream2_get_le32(&gbc);
81  }
82 
83  extradata_size = bytestream2_get_le32(&gbc);
84 
85  bsf->par_in->sample_rate = bytestream2_get_le32(&gbc);
86  bsf->par_in->channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;
87  bsf->par_in->block_align = bytestream2_get_le32(&gbc);
88  keyframes = bytestream2_get_le64(&gbc);
89 
90  if (extradata_size < size) {
91  bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
92  if (bsf->par_in->extradata) {
93  bsf->par_in->extradata_size = extradata_size;
94  size -= bsf->par_in->extradata_size;
95  memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);
96  }
97  }
98  if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))
99  bsf->par_in->width = bsf->par_in->height = 0;
100  }
101 
102  res = av_bsf_init(bsf);
103  if (res < 0) {
104  av_bsf_free(&bsf);
105  return 0; // Failure of av_bsf_init() does not imply that a issue was found
106  }
107 
108  av_init_packet(&in);
109  av_init_packet(&out);
110  out.data = NULL;
111  out.size = 0;
112  while (data < end) {
113  // Search for the TAG
114  while (data + sizeof(fuzz_tag) < end) {
115  if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
116  break;
117  data++;
118  }
119  if (data + sizeof(fuzz_tag) > end)
120  data = end;
121 
122  res = av_new_packet(&in, data - last);
123  if (res < 0)
124  error("Failed memory allocation");
125  memcpy(in.data, last, data - last);
126  in.flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
127  keyframes = (keyframes >> 2) + (keyframes<<62);
128  data += sizeof(fuzz_tag);
129  last = data;
130 
131  while (in.size) {
132  res = av_bsf_send_packet(bsf, &in);
133  if (res < 0 && res != AVERROR(EAGAIN))
134  break;
135  res = av_bsf_receive_packet(bsf, &out);
136  if (res < 0)
137  break;
138  av_packet_unref(&out);
139  }
140  av_packet_unref(&in);
141  }
142 
143  res = av_bsf_send_packet(bsf, NULL);
144  while (!res) {
145  res = av_bsf_receive_packet(bsf, &out);
146  if (res < 0)
147  break;
148  av_packet_unref(&out);
149  }
150 
151  av_bsf_free(&bsf);
152  return 0;
153 }
FF_SANE_NB_CHANNELS
#define FF_SANE_NB_CHANNELS
Definition: internal.h:92
av_bsf_free
void av_bsf_free(AVBSFContext **ctx)
Free a bitstream filter context and everything associated with it; write NULL into the supplied point...
Definition: bsf.c:35
NULL
#define NULL
Definition: coverity.c:32
AV_CODEC_ID_NONE
Definition: avcodec.h:216
data
ptrdiff_t const GLvoid * data
Definition: opengl_enc.c:100
imgutils.h
misc image utilities
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: target_bsf_fuzzer.c:39
av_log_set_level
void av_log_set_level(int level)
Set the log level.
Definition: log.c:387
AVCodecParameters::codec_id
enum AVCodecID codec_id
Specific type of the encoded data (the codec used).
Definition: avcodec.h:3987
AVBSFContext
The bitstream filter state.
Definition: avcodec.h:5793
AVPacket::size
int size
Definition: avcodec.h:1495
bytestream2_init
static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t *buf, int buf_size)
Definition: bytestream.h:133
av_mallocz
void * av_mallocz(size_t size)
Allocate a memory block with alignment suitable for all memory accesses (including vectors if availab...
Definition: mem.c:236
error
static void error(const char *err)
Definition: target_bsf_fuzzer.c:29
av_bsf_init
int av_bsf_init(AVBSFContext *ctx)
Prepare the filter for use, after all the parameters and options have been set.
Definition: bsf.c:137
av_bsf_alloc
int av_bsf_alloc(const AVBitStreamFilter *filter, AVBSFContext **ctx)
Allocate a context for a given bitstream filter.
Definition: bsf.c:82
av_bsf_receive_packet
int av_bsf_receive_packet(AVBSFContext *ctx, AVPacket *pkt)
Retrieve a filtered packet.
Definition: bsf.c:217
uint8_t
uint8_t
Definition: audio_convert.c:194
AVCodecParameters::width
int width
Video only.
Definition: avcodec.h:4053
AV_LOG_PANIC
#define AV_LOG_PANIC
Something went really wrong and we will crash now.
Definition: log.h:163
end
static av_cold int end(AVCodecContext *avctx)
Definition: avrndec.c:90
AVPacket::data
uint8_t * data
Definition: avcodec.h:1494
size
ptrdiff_t size
Definition: opengl_enc.c:100
AVCodecParameters::bit_rate
int64_t bit_rate
The average bitrate of the encoded data (in bits per second).
Definition: avcodec.h:4016
AV_PKT_FLAG_KEY
#define AV_PKT_FLAG_KEY
The packet contains a keyframe.
Definition: avcodec.h:1526
av_new_packet
int av_new_packet(AVPacket *pkt, int size)
Allocate the payload of a packet and initialize its fields with default values.
Definition: avpacket.c:86
i
#define i(width, name, range_min, range_max)
Definition: cbs_h2645.c:259
AVBitStreamFilter::codec_ids
enum AVCodecID * codec_ids
A list of codec ids supported by the filter, terminated by AV_CODEC_ID_NONE.
Definition: avcodec.h:5850
AVPacket::flags
int flags
A combination of AV_PKT_FLAG values.
Definition: avcodec.h:1500
AVCodecParameters::extradata_size
int extradata_size
Size of the extradata content in bytes.
Definition: avcodec.h:4005
AVCodecParameters::block_align
int block_align
Audio only.
Definition: avcodec.h:4104
av_image_check_size
int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx)
Check if the given dimension of an image is valid, meaning that all bytes of the image can be address...
Definition: imgutils.c:282
av_bsf_send_packet
int av_bsf_send_packet(AVBSFContext *ctx, AVPacket *pkt)
Submit a packet for filtering.
Definition: bsf.c:190
FUZZ_TAG
static const uint64_t FUZZ_TAG
Definition: target_bsf_fuzzer.c:37
avcodec.h
Libavcodec external API header.
av_packet_unref
void av_packet_unref(AVPacket *pkt)
Wipe the packet.
Definition: avpacket.c:599
in
uint8_t pi<< 24) CONV_FUNC_GROUP(AV_SAMPLE_FMT_FLT, float, AV_SAMPLE_FMT_U8, uint8_t,(*(const uint8_t *) pi-0x80)*(1.0f/(1<< 7))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_DBL, double, AV_SAMPLE_FMT_U8, uint8_t,(*(const uint8_t *) pi-0x80)*(1.0/(1<< 7))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_U8, uint8_t, AV_SAMPLE_FMT_S16, int16_t,(*(const int16_t *) pi >> 8)+0x80) CONV_FUNC_GROUP(AV_SAMPLE_FMT_FLT, float, AV_SAMPLE_FMT_S16, int16_t,*(const int16_t *) pi *(1.0f/(1<< 15))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_DBL, double, AV_SAMPLE_FMT_S16, int16_t,*(const int16_t *) pi *(1.0/(1<< 15))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_U8, uint8_t, AV_SAMPLE_FMT_S32, int32_t,(*(const int32_t *) pi >> 24)+0x80) CONV_FUNC_GROUP(AV_SAMPLE_FMT_FLT, float, AV_SAMPLE_FMT_S32, int32_t,*(const int32_t *) pi *(1.0f/(1U<< 31))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_DBL, double, AV_SAMPLE_FMT_S32, int32_t,*(const int32_t *) pi *(1.0/(1U<< 31))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_U8, uint8_t, AV_SAMPLE_FMT_FLT, float, av_clip_uint8(lrintf(*(const float *) pi *(1<< 7))+0x80)) CONV_FUNC_GROUP(AV_SAMPLE_FMT_S16, int16_t, AV_SAMPLE_FMT_FLT, float, av_clip_int16(lrintf(*(const float *) pi *(1<< 15)))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_S32, int32_t, AV_SAMPLE_FMT_FLT, float, av_clipl_int32(llrintf(*(const float *) pi *(1U<< 31)))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_U8, uint8_t, AV_SAMPLE_FMT_DBL, double, av_clip_uint8(lrint(*(const double *) pi *(1<< 7))+0x80)) CONV_FUNC_GROUP(AV_SAMPLE_FMT_S16, int16_t, AV_SAMPLE_FMT_DBL, double, av_clip_int16(lrint(*(const double *) pi *(1<< 15)))) CONV_FUNC_GROUP(AV_SAMPLE_FMT_S32, int32_t, AV_SAMPLE_FMT_DBL, double, av_clipl_int32(llrint(*(const double *) pi *(1U<< 31))))#define SET_CONV_FUNC_GROUP(ofmt, ifmt) static void set_generic_function(AudioConvert *ac){}void ff_audio_convert_free(AudioConvert **ac){if(!*ac) return;ff_dither_free(&(*ac) ->dc);av_freep(ac);}AudioConvert *ff_audio_convert_alloc(AVAudioResampleContext *avr, enum AVSampleFormat out_fmt, enum AVSampleFormat in_fmt, int channels, int sample_rate, int apply_map){AudioConvert *ac;int in_planar, out_planar;ac=av_mallocz(sizeof(*ac));if(!ac) return NULL;ac->avr=avr;ac->out_fmt=out_fmt;ac->in_fmt=in_fmt;ac->channels=channels;ac->apply_map=apply_map;if(avr->dither_method!=AV_RESAMPLE_DITHER_NONE &&av_get_packed_sample_fmt(out_fmt)==AV_SAMPLE_FMT_S16 &&av_get_bytes_per_sample(in_fmt) > 2){ac->dc=ff_dither_alloc(avr, out_fmt, in_fmt, channels, sample_rate, apply_map);if(!ac->dc){av_free(ac);return NULL;}return ac;}in_planar=ff_sample_fmt_is_planar(in_fmt, channels);out_planar=ff_sample_fmt_is_planar(out_fmt, channels);if(in_planar==out_planar){ac->func_type=CONV_FUNC_TYPE_FLAT;ac->planes=in_planar?ac->channels:1;}else if(in_planar) ac->func_type=CONV_FUNC_TYPE_INTERLEAVE;else ac->func_type=CONV_FUNC_TYPE_DEINTERLEAVE;set_generic_function(ac);if(ARCH_AARCH64) ff_audio_convert_init_aarch64(ac);if(ARCH_ARM) ff_audio_convert_init_arm(ac);if(ARCH_X86) ff_audio_convert_init_x86(ac);return ac;}int ff_audio_convert(AudioConvert *ac, AudioData *out, AudioData *in){int use_generic=1;int len=in->nb_samples;int p;if(ac->dc){av_log(ac->avr, AV_LOG_TRACE,"%d samples - audio_convert: %s to %s (dithered)\n", len, av_get_sample_fmt_name(ac->in_fmt), av_get_sample_fmt_name(ac->out_fmt));return ff_convert_dither(ac-> in
Definition: audio_convert.c:194
ff_null_bsf
const AVBitStreamFilter ff_null_bsf
Definition: null_bsf.c:32
f
static AVBitStreamFilter * f
Definition: target_bsf_fuzzer.c:35
AVCodecParameters::sample_rate
int sample_rate
Audio only.
Definition: avcodec.h:4097
AV_PKT_FLAG_DISCARD
#define AV_PKT_FLAG_DISCARD
Flag is used to discard packets which are required to maintain valid decoder state but are not requir...
Definition: avcodec.h:1533
internal.h
common internal api header.
av_init_packet
void av_init_packet(AVPacket *pkt)
Initialize optional fields of a packet with default values.
Definition: avpacket.c:33
AV_INPUT_BUFFER_PADDING_SIZE
#define AV_INPUT_BUFFER_PADDING_SIZE
Required number of additionally allocated bytes at the end of the input bitstream for decoding...
Definition: avcodec.h:797
AV_RN64
#define AV_RN64(p)
Definition: intreadwrite.h:368
AVCodecParameters::bits_per_coded_sample
int bits_per_coded_sample
The number of bits per sample in the codedwords.
Definition: avcodec.h:4029
AVCodecParameters::extradata
uint8_t * extradata
Extra binary data needed for initializing the decoder, codec-dependent.
Definition: avcodec.h:4001
AVCodecParameters::channels
int channels
Audio only.
Definition: avcodec.h:4093
out
FILE * out
Definition: movenc.c:54
AVCodecParameters::codec_tag
uint32_t codec_tag
Additional information about the codec (corresponds to the AVI FOURCC).
Definition: avcodec.h:3991
AVERROR
Filter the word “frame” indicates either a video frame or a group of audio as stored in an AVFrame structure Format for each input and each output the list of supported formats For video that means pixel format For audio that means channel sample they are references to shared objects When the negotiation mechanism computes the intersection of the formats supported at each end of a all references to both lists are replaced with a reference to the intersection And when a single format is eventually chosen for a link amongst the remaining all references to the list are updated That means that if a filter requires that its input and output have the same format amongst a supported all it has to do is use a reference to the same list of formats query_formats can leave some formats unset and return AVERROR(EAGAIN) to cause the negotiation mechanism toagain later.That can be used by filters with complex requirements to use the format negotiated on one link to set the formats supported on another.Frame references ownership and permissions
id
enum AVCodecID id
Definition: extract_extradata_bsf.c:332
AVPacket
This structure stores compressed data.
Definition: avcodec.h:1471
AVBSFContext::par_in
AVCodecParameters * par_in
Parameters of the input stream.
Definition: avcodec.h:5821
Generated on Sun Jan 26 2020 19:21:45 for FFmpeg by   doxygen 1.8.11