[FFmpeg-devel] [PATCH v2] add tools/target_swr_fuzzer

James Almer jamrial at gmail.com
Wed Aug 7 22:02:23 EEST 2024 

On 8/7/2024 2:13 PM, Michael Niedermayer wrote:
> On Wed, Aug 07, 2024 at 01:05:40PM -0300, James Almer wrote:
>>
>>
>> On 8/7/2024 12:51 PM, Michael Niedermayer wrote:
>>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>>> ---
>>>    Makefile                  |   2 +
>>>    tools/Makefile            |   3 +
>>>    tools/target_swr_fuzzer.c | 150 ++++++++++++++++++++++++++++++++++++++
>>>    3 files changed, 155 insertions(+)
>>>    create mode 100644 tools/target_swr_fuzzer.c
>>>
>>> diff --git a/Makefile b/Makefile
>>> index 4c3af09fec4..b350d7748f5 100644
>>> --- a/Makefile
>>> +++ b/Makefile
>>> @@ -70,6 +70,8 @@ tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS)
>>>    tools/target_sws_fuzzer$(EXESUF): tools/target_sws_fuzzer.o $(FF_DEP_LIBS)
>>>    	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>>> +tools/target_swr_fuzzer$(EXESUF): tools/target_swr_fuzzer.o $(FF_DEP_LIBS)
>>> +	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>>>    tools/enum_options$(EXESUF): ELIBS = $(FF_EXTRALIBS)
>>>    tools/enum_options$(EXESUF): $(FF_DEP_LIBS)
>>> diff --git a/tools/Makefile b/tools/Makefile
>>> index 2a11fa0ae62..7ae6e3cb75d 100644
>>> --- a/tools/Makefile
>>> +++ b/tools/Makefile
>>> @@ -23,6 +23,9 @@ tools/target_io_dem_fuzzer.o: tools/target_dem_fuzzer.c
>>>    tools/target_sws_fuzzer.o: tools/target_sws_fuzzer.c
>>>    	$(COMPILE_C)
>>> +tools/target_swr_fuzzer.o: tools/target_swr_fuzzer.c
>>> +	$(COMPILE_C)
>>> +
>>>    tools/enc_recon_frame_test$(EXESUF): tools/decode_simple.o
>>>    tools/venc_data_dump$(EXESUF): tools/decode_simple.o
>>>    tools/scale_slice_test$(EXESUF): tools/decode_simple.o
>>> diff --git a/tools/target_swr_fuzzer.c b/tools/target_swr_fuzzer.c
>>> new file mode 100644
>>> index 00000000000..b8af0bad78c
>>> --- /dev/null
>>> +++ b/tools/target_swr_fuzzer.c
>>> @@ -0,0 +1,150 @@
>>> +/*
>>> + * Copyright (c) 2024 Michael Niedermayer <michael-ffmpeg at niedermayer.cc>
>>> + *
>>> + * This file is part of FFmpeg.
>>> + *
>>> + * FFmpeg is free software; you can redistribute it and/or
>>> + * modify it under the terms of the GNU Lesser General Public
>>> + * License as published by the Free Software Foundation; either
>>> + * version 2.1 of the License, or (at your option) any later version.
>>> + *
>>> + * FFmpeg is distributed in the hope that it will be useful,
>>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>>> + * Lesser General Public License for more details.
>>> + *
>>> + * You should have received a copy of the GNU Lesser General Public
>>> + * License along with FFmpeg; if not, write to the Free Software
>>> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>>> + */
>>> +
>>> +#include "config.h"
>>> +#include "libavutil/avassert.h"
>>> +#include "libavutil/avstring.h"
>>> +#include "libavutil/cpu.h"
>>> +#include "libavutil/imgutils.h"
>>> +#include "libavutil/intreadwrite.h"
>>> +#include "libavutil/mem.h"
>>> +#include "libavutil/opt.h"
>>> +
>>> +#include "libavcodec/bytestream.h"
>>> +
>>> +#include "libswresample/swresample.h"
>>> +
>>> +#define SWR_CH_MAX 32
>>> +
>>> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
>>> +
>>> +static const enum AVSampleFormat formats[] = {
>>> +    AV_SAMPLE_FMT_U8,
>>> +    AV_SAMPLE_FMT_U8P,
>>> +    AV_SAMPLE_FMT_S16,
>>> +    AV_SAMPLE_FMT_S16P,
>>> +    AV_SAMPLE_FMT_S32,
>>> +    AV_SAMPLE_FMT_S32P,
>>> +    AV_SAMPLE_FMT_FLT,
>>> +    AV_SAMPLE_FMT_FLTP,
>>> +    AV_SAMPLE_FMT_DBL,
>>> +    AV_SAMPLE_FMT_DBLP,
>>> +};
>>> +
>>> +static const AVChannelLayout layouts[]={
>>> +    AV_CHANNEL_LAYOUT_MONO               ,
>>> +    AV_CHANNEL_LAYOUT_STEREO             ,
>>> +    AV_CHANNEL_LAYOUT_2_1                ,
>>> +    AV_CHANNEL_LAYOUT_SURROUND           ,
>>> +    AV_CHANNEL_LAYOUT_4POINT0            ,
>>> +    AV_CHANNEL_LAYOUT_2_2                ,
>>> +    AV_CHANNEL_LAYOUT_QUAD               ,
>>> +    AV_CHANNEL_LAYOUT_5POINT0            ,
>>> +    AV_CHANNEL_LAYOUT_5POINT1            ,
>>> +    AV_CHANNEL_LAYOUT_5POINT0_BACK       ,
>>> +    AV_CHANNEL_LAYOUT_5POINT1_BACK       ,
>>> +    AV_CHANNEL_LAYOUT_7POINT0            ,
>>> +    AV_CHANNEL_LAYOUT_7POINT1            ,
>>> +    AV_CHANNEL_LAYOUT_7POINT1_WIDE       ,
>>> +    AV_CHANNEL_LAYOUT_22POINT2           ,
>>> +    AV_CHANNEL_LAYOUT_5POINT1POINT2_BACK ,
>>
>> Maybe also AV_CHANNEL_LAYOUT_22POINT2 to ensure the fallback to 7.1(wide)+BC
>> in rematrix.c works as intended.
> 
> added with my time-machiene, can you confirm its in the mail i sent before
> your reply ?

I'm blind, disregard this.

> 
> 
>>
>>> +};
>>> +
>>> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>>> +    const uint8_t *end = data + size;
>>> +    struct SwrContext * swr= NULL;
>>> +    AVChannelLayout in_ch_layout = { 0 }, out_ch_layout = { 0 };
>>> +    enum AVSampleFormat  in_sample_fmt = AV_SAMPLE_FMT_S16P;
>>> +    enum AVSampleFormat out_sample_fmt = AV_SAMPLE_FMT_S16P;
>>> +    int  in_sample_rate = 44100;
>>> +    int out_sample_rate = 44100;
>>> +    int in_ch_count, out_ch_count;
>>> +    char  in_layout_string[256];
>>> +    char out_layout_string[256];
>>> +    uint8_t * ain[SWR_CH_MAX];
>>> +    uint8_t *aout[SWR_CH_MAX];
>>> +    uint8_t *out_data;
>>> +    int in_sample_nb;
>>> +    int out_sample_nb = size;
>>> +    int count;
>>> +
>>> +    if (size > 128) {
>>> +        GetByteContext gbc;
>>> +        int64_t flags64;
>>> +
>>> +        size -= 128;
>>> +        bytestream2_init(&gbc, data + size, 128);
>>> +         in_sample_rate = bytestream2_get_le16(&gbc) + 1;
>>> +        out_sample_rate = bytestream2_get_le16(&gbc) + 1;
>>> +         in_sample_fmt  = formats[bytestream2_get_byte(&gbc) % FF_ARRAY_ELEMS(formats)];
>>> +        out_sample_fmt  = formats[bytestream2_get_byte(&gbc) % FF_ARRAY_ELEMS(formats)];
>>> +        av_channel_layout_copy(& in_ch_layout,  &layouts[bytestream2_get_byte(&gbc) % FF_ARRAY_ELEMS(layouts)]);
>>> +        av_channel_layout_copy(&out_ch_layout,  &layouts[bytestream2_get_byte(&gbc) % FF_ARRAY_ELEMS(layouts)]);
>>
>> Since you're only using native layouts, you could make the layouts array be
>> of uint64_t masks (AV_CH_LAYOUT_*) and use av_channel_layout_from_mask()
>> here.
> 
> I still refuse to do this because the fuzzer should have maximal coverage
> and limiting things to subsets goes against that idea even if the current
> code is limited to a subset
> 
> Maybe iam missing something of course, but it simply doesnt seem the right
> direction

You're not really testing any fuzzed input whatsoever here because 
you're passing strictly supported values to av_channel_layout_copy().
The difference in using av_channel_layout_from_mask() is that it should 
be slightly faster (No uninit() call and no copy of the entire struct, 
setting only the three fields that matter).

But it's mostly a nit too, so it's fine as is if you prefer it.

> 
> 
>>
>>> +
>>> +        out_sample_nb = bytestream2_get_le32(&gbc);
>>> +
>>> +        flags64 = bytestream2_get_le64(&gbc);
>>> +        if (flags64 & 0x10)
>>> +            av_force_cpu_flags(0);
>>> +    } else {
>>> +        av_channel_layout_copy(& in_ch_layout,  &layouts[0]);
>>> +        av_channel_layout_copy(&out_ch_layout,  &layouts[0]);
>>
>> This else chunk can be removed if you initialize both layouts above to
>> (AVChannelLayout)AV_CHANNEL_LAYOUT_MONO instead.
> 
> changed
> 
> 
>>
>>> +    }
>>> +
>>> +     in_ch_count=  in_ch_layout.nb_channels;
>>> +    out_ch_count= out_ch_layout.nb_channels;
>>> +    av_channel_layout_describe(& in_ch_layout,  in_layout_string, sizeof( in_layout_string));
>>> +    av_channel_layout_describe(&out_ch_layout, out_layout_string, sizeof(out_layout_string));
>>> +
>>> +    fprintf(stderr, "%s %d %s -> %s %d %s\n",
>>> +            av_get_sample_fmt_name( in_sample_fmt),  in_sample_rate,  in_layout_string,
>>> +            av_get_sample_fmt_name(out_sample_fmt), out_sample_rate, out_layout_string);
>>> +
>>> +    if (swr_alloc_set_opts2(&swr, &out_ch_layout, out_sample_fmt, out_sample_rate,
>>> +                                  &in_ch_layout,   in_sample_fmt,  in_sample_rate,
>>> +                                  0, 0) < 0) {
>>> +        fprintf(stderr, "Failed swr_alloc_set_opts2()\n");
>>> +        goto end;
>>> +    }
>>> +
>>> +    if(swr_init(swr) < 0) {
>>
>> nit: space after the if.
> 
> changed
> 
> thx
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".

More information about the ffmpeg-devel mailing list