[FFmpeg-trac] #11400(avfilter:new): Consider adding a fuzzer for filtergraphs

FFmpeg trac at avcodec.org
Sun Jan 5 23:05:46 EET 2025 

#11400: Consider adding a fuzzer for filtergraphs
-------------------------------------+-------------------------------------
             Reporter:  somehacker   |                     Type:
                                     |  enhancement
               Status:  new          |                 Priority:  normal
            Component:  avfilter     |                  Version:  git-
             Keywords:  fuzzer       |  master
  fuzzing test filters               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Hi!

 I have started developing a fuzzer for filtergraphs which you can read
 about here:
 https://personnumber3377.github.io/projects/fuzzing_ffmpeg_avfilter_graph_parse_ptr.html
 . I made a fork of ffmpeg here: https://github.com/personnumber3377/ffmpeg
 which has the fuzzer source code. I already found a couple of bugs with it
 (for example https://trac.ffmpeg.org/ticket/11395). I don't know how worth
 it it is to fuzz filtergraphs, because they shouldn't be attacker
 controlled anyway since usually the filtergraphs are specified by
 developers when using ffmpeg in other projects and only the input and
 output files should be controlled by users (and possible attackers). My
 fuzzer source code is based on the example code in
 doc/examples/decode_filter_video.c and doc/examples/decode_filter_audio.c
 . My fuzzer works by first validating the filtergraph for syntax by
 calling avfilter_graph_parse_ptr and then continuing if it is valid and
 then just having a small video file in memory which is then read with
 fmemopen similar to an actual file and then processed with the fuzzer
 generated filtergraph string. I am only getting one or two execs a second
 when running my fuzzer even though the in-memory video file is just a
 couple of kilobytes.

 Maybe someone can optimize it further or maybe do a complete rewrite of
 this even???

 Thanks in advance for your ideas and thoughts!
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11400>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list