FFmpeg
target_bsf_fuzzer.c
Go to the documentation of this file.
1 /*
2  * This file is part of FFmpeg.
3  *
4  * FFmpeg is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU Lesser General Public
6  * License as published by the Free Software Foundation; either
7  * version 2.1 of the License, or (at your option) any later version.
8  *
9  * FFmpeg is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * Lesser General Public License for more details.
13  *
14  * You should have received a copy of the GNU Lesser General Public
15  * License along with FFmpeg; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
17  */
18 
19 #include "config.h"
20 #include "libavutil/imgutils.h"
21 #include "libavutil/mem.h"
22 #include "libavutil/opt.h"
23 
24 #include "libavcodec/avcodec.h"
25 #include "libavcodec/bsf.h"
26 #include "libavcodec/bsf_internal.h"
27 #include "libavcodec/bytestream.h"
28 #include "libavcodec/internal.h"
29 
30 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
31 
32 static void error(const char *err)
33 {
34  fprintf(stderr, "%s", err);
35  exit(1);
36 }
37 
38 static const AVBitStreamFilter *f = NULL;
39 
40 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
41 
42 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
43  const uint64_t fuzz_tag = FUZZ_TAG;
44  const uint8_t *last = data;
45  const uint8_t *end = data + size;
46  AVBSFContext *bsf = NULL;
47  AVPacket *pkt;
48  uint64_t keyframes = 0;
49  uint64_t flushpattern = -1;
50  int res;
51 
52  if (!f) {
53 #ifdef FFMPEG_BSF
54 #define BSF_SYMBOL0(BSF) ff_##BSF##_bsf
55 #define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)
56  extern const AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);
57  f = &BSF_SYMBOL(FFMPEG_BSF);
58 #endif
59  av_log_set_level(AV_LOG_PANIC);
60  }
61 
62  res = f ? av_bsf_alloc(f, &bsf) : av_bsf_get_null_filter(&bsf);
63  if (res < 0)
64  error("Failed memory allocation");
65  f = bsf->filter;
66 
67  if (size > 1024) {
68  GetByteContext gbc;
69  int extradata_size;
70  int flags;
71  size -= 1024;
72  bytestream2_init(&gbc, data + size, 1024);
73  bsf->par_in->width = bytestream2_get_le32(&gbc);
74  bsf->par_in->height = bytestream2_get_le32(&gbc);
75  bsf->par_in->bit_rate = bytestream2_get_le64(&gbc);
76  bsf->par_in->bits_per_coded_sample = bytestream2_get_le32(&gbc);
77 
78  if (f->codec_ids) {
79  int i, id;
80  for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);
81  id = f->codec_ids[bytestream2_get_byte(&gbc) % i];
82  bsf->par_in->codec_id = id;
83  bsf->par_in->codec_tag = bytestream2_get_le32(&gbc);
84  }
85 
86  extradata_size = bytestream2_get_le32(&gbc);
87 
88  bsf->par_in->sample_rate = bytestream2_get_le32(&gbc);
89  bsf->par_in->ch_layout.nb_channels = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;
90  bsf->par_in->block_align = bytestream2_get_le32(&gbc);
91  keyframes = bytestream2_get_le64(&gbc);
92  flushpattern = bytestream2_get_le64(&gbc);
93  flags = bytestream2_get_byte(&gbc);
94 
95  if (flags & 0x20) {
96  if (!strcmp(f->name, "av1_metadata"))
97  av_opt_set_int(bsf->priv_data, "td", bytestream2_get_byte(&gbc) % 3, 0);
98  else if (!strcmp(f->name, "h264_metadata") || !strcmp(f->name, "hevc_metadata") ||
99  !strcmp(f->name, "vvc_metadata"))
100  av_opt_set_int(bsf->priv_data, "aud", bytestream2_get_byte(&gbc) % 3, 0);
101  else if (!strcmp(f->name, "extract_extradata"))
102  av_opt_set_int(bsf->priv_data, "remove", bytestream2_get_byte(&gbc) & 1, 0);
103  }
104 
105  if (extradata_size < size) {
106  bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
107  if (bsf->par_in->extradata) {
108  bsf->par_in->extradata_size = extradata_size;
109  size -= bsf->par_in->extradata_size;
110  memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);
111  }
112  }
113  if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))
114  bsf->par_in->width = bsf->par_in->height = 0;
115  }
116 
117  res = av_bsf_init(bsf);
118  if (res < 0) {
119  av_bsf_free(&bsf);
120  return 0; // Failure of av_bsf_init() does not imply that a issue was found
121  }
122 
123  pkt = av_packet_alloc();
124  if (!pkt)
125  error("Failed memory allocation");
126 
127  while (data < end) {
128  // Search for the TAG
129  while (data + sizeof(fuzz_tag) < end) {
130  if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)
131  break;
132  data++;
133  }
134  if (data + sizeof(fuzz_tag) > end)
135  data = end;
136 
137  res = av_new_packet(pkt, data - last);
138  if (res < 0)
139  error("Failed memory allocation");
140  memcpy(pkt->data, last, data - last);
141  pkt->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;
142  keyframes = (keyframes >> 2) + (keyframes<<62);
143  data += sizeof(fuzz_tag);
144  last = data;
145 
146  if (!(flushpattern & 7))
147  av_bsf_flush(bsf);
148  flushpattern = (flushpattern >> 3) + (flushpattern << 61);
149 
150  res = av_bsf_send_packet(bsf, pkt);
151  if (res < 0) {
152  av_packet_unref(pkt);
153  continue;
154  }
155  while (av_bsf_receive_packet(bsf, pkt) >= 0)
156  av_packet_unref(pkt);
157  }
158 
159  av_bsf_send_packet(bsf, NULL);
160  while (av_bsf_receive_packet(bsf, pkt) >= 0)
161  av_packet_unref(pkt);
162 
163  av_packet_free(&pkt);
164  av_bsf_free(&bsf);
165  return 0;
166 }
error
static void error(const char *err)
Definition: target_bsf_fuzzer.c:32
flags
const SwsFlags flags[]
Definition: swscale.c:61
av_packet_unref
void av_packet_unref(AVPacket *pkt)
Wipe the packet.
Definition: packet.c:430
AVBSFContext::par_in
AVCodecParameters * par_in
Parameters of the input stream.
Definition: bsf.h:90
AVCodecParameters::extradata
uint8_t * extradata
Extra binary data needed for initializing the decoder, codec-dependent.
Definition: codec_par.h:69
bsf_internal.h
opt.h
GetByteContext
Definition: bytestream.h:33
AV_LOG_PANIC
#define AV_LOG_PANIC
Something went really wrong and we will crash now.
Definition: log.h:197
AV_PKT_FLAG_DISCARD
#define AV_PKT_FLAG_DISCARD
Flag is used to discard packets which are required to maintain valid decoder state but are not requir...
Definition: packet.h:597
AVBitStreamFilter::name
const char * name
Definition: bsf.h:112
AV_RN64
#define AV_RN64(p)
Definition: intreadwrite.h:364
internal.h
AVPacket::data
uint8_t * data
Definition: packet.h:535
data
const char data[16]
Definition: mxf.c:149
AVCodecParameters::codec_tag
uint32_t codec_tag
Additional information about the codec (corresponds to the AVI FOURCC).
Definition: codec_par.h:59
AVChannelLayout::nb_channels
int nb_channels
Number of channels in this layout.
Definition: channel_layout.h:329
av_bsf_free
void av_bsf_free(AVBSFContext **pctx)
Free a bitstream filter context and everything associated with it; write NULL into the supplied point...
Definition: bsf.c:52
AV_PKT_FLAG_KEY
#define AV_PKT_FLAG_KEY
The packet contains a keyframe.
Definition: packet.h:590
av_packet_free
void av_packet_free(AVPacket **pkt)
Free the packet, if the packet is reference counted, it will be unreferenced first.
Definition: packet.c:75
AVBSFContext
The bitstream filter state.
Definition: bsf.h:68
bsf.h
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: target_bsf_fuzzer.c:42
pkt
AVPacket * pkt
Definition: movenc.c:60
av_new_packet
int av_new_packet(AVPacket *pkt, int size)
Allocate the payload of a packet and initialize its fields with default values.
Definition: packet.c:99
av_bsf_flush
void av_bsf_flush(AVBSFContext *ctx)
Reset the internal bitstream filter state.
Definition: bsf.c:190
AVCodecParameters::width
int width
Video only.
Definition: codec_par.h:134
FUZZ_TAG
static const uint64_t FUZZ_TAG
Definition: target_bsf_fuzzer.c:40
f
static const AVBitStreamFilter * f
Definition: target_bsf_fuzzer.c:38
av_bsf_alloc
int av_bsf_alloc(const AVBitStreamFilter *filter, AVBSFContext **pctx)
Allocate a context for a given bitstream filter.
Definition: bsf.c:104
AVBitStreamFilter::codec_ids
enum AVCodecID * codec_ids
A list of codec ids supported by the filter, terminated by AV_CODEC_ID_NONE.
Definition: bsf.h:119
av_bsf_init
int av_bsf_init(AVBSFContext *ctx)
Prepare the filter for use, after all the parameters and options have been set.
Definition: bsf.c:149
NULL
#define NULL
Definition: coverity.c:32
av_bsf_receive_packet
int av_bsf_receive_packet(AVBSFContext *ctx, AVPacket *pkt)
Retrieve a filtered packet.
Definition: bsf.c:230
AVCodecParameters::ch_layout
AVChannelLayout ch_layout
Audio only.
Definition: codec_par.h:180
AVCodecParameters::sample_rate
int sample_rate
Audio only.
Definition: codec_par.h:184
av_opt_set_int
int av_opt_set_int(void *obj, const char *name, int64_t val, int search_flags)
Definition: opt.c:880
AVCodecParameters::extradata_size
int extradata_size
Size of the extradata content in bytes.
Definition: codec_par.h:73
av_bsf_send_packet
int av_bsf_send_packet(AVBSFContext *ctx, AVPacket *pkt)
Submit a packet for filtering.
Definition: bsf.c:202
size
int size
Definition: twinvq_data.h:10344
AVPacket::flags
int flags
A combination of AV_PKT_FLAG values.
Definition: packet.h:541
av_packet_alloc
AVPacket * av_packet_alloc(void)
Allocate an AVPacket and set its fields to default values.
Definition: packet.c:64
av_log_set_level
void av_log_set_level(int level)
Set the log level.
Definition: log.c:474
AV_CODEC_ID_NONE
@ AV_CODEC_ID_NONE
Definition: codec_id.h:50
i
#define i(width, name, range_min, range_max)
Definition: cbs_h2645.c:256
AVCodecParameters::height
int height
Definition: codec_par.h:135
AVCodecParameters::block_align
int block_align
Audio only.
Definition: codec_par.h:191
av_mallocz
void * av_mallocz(size_t size)
Allocate a memory block with alignment suitable for all memory accesses (including vectors if availab...
Definition: mem.c:256
avcodec.h
AVBSFContext::priv_data
void * priv_data
Opaque filter-specific private data.
Definition: bsf.h:83
av_bsf_get_null_filter
int av_bsf_get_null_filter(AVBSFContext **bsf)
Get null/pass-through bitstream filter.
Definition: bsf.c:553
AV_INPUT_BUFFER_PADDING_SIZE
#define AV_INPUT_BUFFER_PADDING_SIZE
Definition: defs.h:40
id
enum AVCodecID id
Definition: dts2pts.c:367
AVBitStreamFilter
Definition: bsf.h:111
AVBSFContext::filter
const struct AVBitStreamFilter * filter
The bitstream filter this context is an instance of.
Definition: bsf.h:77
AVCodecParameters::bits_per_coded_sample
int bits_per_coded_sample
The number of bits per sample in the codedwords.
Definition: codec_par.h:110
mem.h
AVCodecParameters::codec_id
enum AVCodecID codec_id
Specific type of the encoded data (the codec used).
Definition: codec_par.h:55
AVPacket
This structure stores compressed data.
Definition: packet.h:512
bytestream.h
imgutils.h
bytestream2_init
static av_always_inline void bytestream2_init(GetByteContext *g, const uint8_t *buf, int buf_size)
Definition: bytestream.h:137
AVCodecParameters::bit_rate
int64_t bit_rate
The average bitrate of the encoded data (in bits per second).
Definition: codec_par.h:97
av_image_check_size
int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx)
Check if the given dimension of an image is valid, meaning that all bytes of the image can be address...
Definition: imgutils.c:318
FF_SANE_NB_CHANNELS
#define FF_SANE_NB_CHANNELS
Definition: internal.h:37
Generated on Wed Jun 18 2025 19:23:54 for FFmpeg by   doxygen 1.8.17