diff mbox series

[FFmpeg-devel] Gsoc: add the two fuzzy targets

Message ID 20210419090610.57745-1-a397341575@163.com
State New
Headers show
Series [FFmpeg-devel] Gsoc: add the two fuzzy targets | expand

Checks

Context Check Description
andriy/x86_make_warn warning New warnings during build
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Heng Zhang April 19, 2021, 9:06 a.m. UTC 
From: toseven <Byone.heng@gmail.com>

---
 Makefile                       |   5 ++
 tools/Makefile                 |   6 ++
 tools/target_avpacket_fuzzer.c | 125 +++++++++++++++++++++++++++++++++
 tools/target_formats_fuzzer.c  | 120 +++++++++++++++++++++++++++++++
 4 files changed, 256 insertions(+)
 create mode 100644 tools/target_avpacket_fuzzer.c
 create mode 100644 tools/target_formats_fuzzer.c

Comments

Michael Niedermayer April 19, 2021, 9:47 a.m. UTC | #1 
On Mon, Apr 19, 2021 at 05:06:10PM +0800, a397341575@163.com wrote:
> From: toseven <Byone.heng@gmail.com>
> 
> ---
>  Makefile                       |   5 ++
>  tools/Makefile                 |   6 ++
>  tools/target_avpacket_fuzzer.c | 125 +++++++++++++++++++++++++++++++++
>  tools/target_formats_fuzzer.c  | 120 +++++++++++++++++++++++++++++++
>  4 files changed, 256 insertions(+)
>  create mode 100644 tools/target_avpacket_fuzzer.c
>  create mode 100644 tools/target_formats_fuzzer.c
> 
> diff --git a/Makefile b/Makefile
> index 7e9d8b08c3..45509ab3b5 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -62,6 +62,11 @@ tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS)
>  tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS)
>  	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>  
> +tools/target_avpacket_fuzzer$(EXESUF): tools/target_avpacket_fuzzer.o $(FF_DEP_LIBS)
> +	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
> +
> +tools/target_formats_fuzzer$(EXESUF): tools/target_formats_fuzzer.o $(FF_DEP_LIBS)
> +	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>  
>  tools/enum_options$(EXESUF): ELIBS = $(FF_EXTRALIBS)
>  tools/enum_options$(EXESUF): $(FF_DEP_LIBS)

> diff --git a/tools/Makefile b/tools/Makefile
> index 82baa8eadb..7ef720c8ba 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -17,6 +17,12 @@ tools/target_dem_fuzzer.o: tools/target_dem_fuzzer.c
>  tools/target_io_dem_fuzzer.o: tools/target_dem_fuzzer.c
>  	$(COMPILE_C) -DIO_FLAT=0
>  
> +tools/target_avpacket_fuzzer.o: tools/target_avpacket_fuzzer.c
> +	$(COMPILE_C) 
> +
> +tools/target_avpacket_fuzzer.o: tools/target_formats_fuzzer.c
> +	$(COMPILE_C) 
> +

The target is duplicate




>  OUTDIRS += tools
>  
>  clean::
> diff --git a/tools/target_avpacket_fuzzer.c b/tools/target_avpacket_fuzzer.c
> new file mode 100644
> index 0000000000..e5e7b3d4c8
> --- /dev/null
> +++ b/tools/target_avpacket_fuzzer.c
> @@ -0,0 +1,125 @@
> +/*
> + * This file is part of FFmpeg.
> + *
> + * FFmpeg is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU Lesser General Public
> + * License as published by the Free Software Foundation; either
> + * version 2.1 of the License, or (at your option) any later version.
> + *
> + * FFmpeg is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> + * Lesser General Public License for more details.
> + *
> + * You should have received a copy of the GNU Lesser General Public
> + * License along with FFmpeg; if not, write to the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> + */
> +
> +#include <inttypes.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +
> +#include "libavcodec/avcodec.h"
> +#include "libavutil/error.h"
> +
> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
> +
> +static int setup_side_data_entry(AVPacket *avpkt)
> +{
> +    const uint8_t *data_name = NULL;
> +    int ret = 0, bytes;
> +    uint8_t *extra_data = NULL;
> +
> +    /* get side_data_name string */
> +    data_name = av_packet_side_data_name(AV_PKT_DATA_NEW_EXTRADATA);
> +    
> +    /* Allocate a memory bloc */
> +    bytes = strlen(data_name);
> +
> +    if (!(extra_data = av_malloc(bytes)))
> +    {
> +        ret = AVERROR(ENOMEM);
> +        fprintf(stderr, "Error occurred: %s\n", av_err2str(ret));
> +        exit(1);
> +    }
> +
> +    /* copy side_data_name to extra_data array */
> +    memcpy(extra_data, data_name, bytes);
> +
> +    /* create side data for AVPacket */
> +    ret = av_packet_add_side_data(avpkt, AV_PKT_DATA_NEW_EXTRADATA, extra_data,
> +                                  bytes);
> +    
> +    if (ret < 0)
> +    {
> +        fprintf(stderr, "Error occurred in av_packet_add_side_data: %s\n",
> +        av_err2str(ret));
> +    }
> +    return ret;

the { } placing style mismatches whats used in FFmpeg (i dont mind but some people do mind)

more general, how much code coverage is gained with these 2 fuzzers compared to what already exists ?

thanks

[...]
Heng Zhang April 20, 2021, 4:34 a.m. UTC | #2 
> 在 2021年4月19日,下午5:47,Michael Niedermayer <michael@niedermayer.cc> 写道:
> 
> On Mon, Apr 19, 2021 at 05:06:10PM +0800, a397341575@163.com <mailto:a397341575@163.com> wrote:
>> From: toseven <Byone.heng@gmail.com>
>> 
>> ---
>> Makefile                       |   5 ++
>> tools/Makefile                 |   6 ++
>> tools/target_avpacket_fuzzer.c | 125 +++++++++++++++++++++++++++++++++
>> tools/target_formats_fuzzer.c  | 120 +++++++++++++++++++++++++++++++
>> 4 files changed, 256 insertions(+)
>> create mode 100644 tools/target_avpacket_fuzzer.c
>> create mode 100644 tools/target_formats_fuzzer.c
>> 
>> diff --git a/Makefile b/Makefile
>> index 7e9d8b08c3..45509ab3b5 100644
>> --- a/Makefile
>> +++ b/Makefile
>> @@ -62,6 +62,11 @@ tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS)
>> tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS)
>> 	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>> 
>> +tools/target_avpacket_fuzzer$(EXESUF): tools/target_avpacket_fuzzer.o $(FF_DEP_LIBS)
>> +	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>> +
>> +tools/target_formats_fuzzer$(EXESUF): tools/target_formats_fuzzer.o $(FF_DEP_LIBS)
>> +	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
>> 
>> tools/enum_options$(EXESUF): ELIBS = $(FF_EXTRALIBS)
>> tools/enum_options$(EXESUF): $(FF_DEP_LIBS)
> 
>> diff --git a/tools/Makefile b/tools/Makefile
>> index 82baa8eadb..7ef720c8ba 100644
>> --- a/tools/Makefile
>> +++ b/tools/Makefile
>> @@ -17,6 +17,12 @@ tools/target_dem_fuzzer.o: tools/target_dem_fuzzer.c
>> tools/target_io_dem_fuzzer.o: tools/target_dem_fuzzer.c
>> 	$(COMPILE_C) -DIO_FLAT=0
>> 
>> +tools/target_avpacket_fuzzer.o: tools/target_avpacket_fuzzer.c
>> +	$(COMPILE_C) 
>> +
>> +tools/target_avpacket_fuzzer.o: tools/target_formats_fuzzer.c
>> +	$(COMPILE_C) 
>> +
> 
> The target is duplicate

This is my mistake.

> 
> 
> 
> 
>> OUTDIRS += tools
>> 
>> clean::
>> diff --git a/tools/target_avpacket_fuzzer.c b/tools/target_avpacket_fuzzer.c
>> new file mode 100644
>> index 0000000000..e5e7b3d4c8
>> --- /dev/null
>> +++ b/tools/target_avpacket_fuzzer.c
>> @@ -0,0 +1,125 @@
>> +/*
>> + * This file is part of FFmpeg.
>> + *
>> + * FFmpeg is free software; you can redistribute it and/or
>> + * modify it under the terms of the GNU Lesser General Public
>> + * License as published by the Free Software Foundation; either
>> + * version 2.1 of the License, or (at your option) any later version.
>> + *
>> + * FFmpeg is distributed in the hope that it will be useful,
>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> + * Lesser General Public License for more details.
>> + *
>> + * You should have received a copy of the GNU Lesser General Public
>> + * License along with FFmpeg; if not, write to the Free Software
>> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>> + */
>> +
>> +#include <inttypes.h>
>> +#include <stdio.h>
>> +#include <stdlib.h>
>> +#include <string.h>
>> +
>> +#include "libavcodec/avcodec.h"
>> +#include "libavutil/error.h"
>> +
>> +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
>> +
>> +static int setup_side_data_entry(AVPacket *avpkt)
>> +{
>> +    const uint8_t *data_name = NULL;
>> +    int ret = 0, bytes;
>> +    uint8_t *extra_data = NULL;
>> +
>> +    /* get side_data_name string */
>> +    data_name = av_packet_side_data_name(AV_PKT_DATA_NEW_EXTRADATA);
>> +    
>> +    /* Allocate a memory bloc */
>> +    bytes = strlen(data_name);
>> +
>> +    if (!(extra_data = av_malloc(bytes)))
>> +    {
>> +        ret = AVERROR(ENOMEM);
>> +        fprintf(stderr, "Error occurred: %s\n", av_err2str(ret));
>> +        exit(1);
>> +    }
>> +
>> +    /* copy side_data_name to extra_data array */
>> +    memcpy(extra_data, data_name, bytes);
>> +
>> +    /* create side data for AVPacket */
>> +    ret = av_packet_add_side_data(avpkt, AV_PKT_DATA_NEW_EXTRADATA, extra_data,
>> +                                  bytes);
>> +    
>> +    if (ret < 0)
>> +    {
>> +        fprintf(stderr, "Error occurred in av_packet_add_side_data: %s\n",
>> +        av_err2str(ret));
>> +    }
>> +    return ret;
> 
> the { } placing style mismatches whats used in FFmpeg (i dont mind but some people do mind)
> 
> more general, how much code coverage is gained with these 2 fuzzers compared to what already exists ?
> 
> thanks

Okay, I will modify my style to adopt for FFmpeg. What is more, I didn’t compare the code coverage between them. Do I have to do this?  I mainly refer to the fate test from libavcodec/tests/avpacket.c and libavfilter/tests/formats.c. 

> 
> [...]
> -- 
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> 
> "Nothing to hide" only works if the folks in power share the values of
> you and everyone you know entirely and always will -- Tom Scott
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org <mailto:ffmpeg-devel@ffmpeg.org>
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org <mailto:ffmpeg-devel-request@ffmpeg.org> with subject "unsubscribe".
Michael Niedermayer April 20, 2021, 11:12 a.m. UTC | #3 
On Tue, Apr 20, 2021 at 12:34:13PM +0800, Heng Zhang wrote:
> 
> 
> > 在 2021年4月19日,下午5:47,Michael Niedermayer <michael@niedermayer.cc> 写道:
> > 
> > On Mon, Apr 19, 2021 at 05:06:10PM +0800, a397341575@163.com <mailto:a397341575@163.com> wrote:
> >> From: toseven <Byone.heng@gmail.com>
[...]
> >> +    if (ret < 0)
> >> +    {
> >> +        fprintf(stderr, "Error occurred in av_packet_add_side_data: %s\n",
> >> +        av_err2str(ret));
> >> +    }
> >> +    return ret;
> > 
> > the { } placing style mismatches whats used in FFmpeg (i dont mind but some people do mind)
> > 
> > more general, how much code coverage is gained with these 2 fuzzers compared to what already exists ?
> > 
> > thanks
> 
> Okay, I will modify my style to adopt for FFmpeg. What is more, I didn’t compare the code coverage between them. Do I have to do this?  I mainly refer to the fate test from libavcodec/tests/avpacket.c and libavfilter/tests/formats.c.

If code coverage does not improve, what would be the reason for FFmpeg to
include the code ?

Thanks

[...]
Heng Zhang April 22, 2021, 8:13 a.m. UTC | #4 
> 在 2021年4月20日,下午7:12,Michael Niedermayer <michael@niedermayer.cc> 写道:
> 
> On Tue, Apr 20, 2021 at 12:34:13PM +0800, Heng Zhang wrote:
>> 
>> 
>>> 在 2021年4月19日,下午5:47,Michael Niedermayer <michael@niedermayer.cc> 写道:
>>> 
>>> On Mon, Apr 19, 2021 at 05:06:10PM +0800, a397341575@163.com <mailto:a397341575@163.com> wrote:
>>>> From: toseven <Byone.heng@gmail.com>
> [...]
>>>> +    if (ret < 0)
>>>> +    {
>>>> +        fprintf(stderr, "Error occurred in av_packet_add_side_data: %s\n",
>>>> +        av_err2str(ret));
>>>> +    }
>>>> +    return ret;
>>> 
>>> the { } placing style mismatches whats used in FFmpeg (i dont mind but some people do mind)
>>> 
>>> more general, how much code coverage is gained with these 2 fuzzers compared to what already exists ?
>>> 
>>> thanks
>> 
>> Okay, I will modify my style to adopt for FFmpeg. What is more, I didn’t compare the code coverage between them. Do I have to do this?  I mainly refer to the fate test from libavcodec/tests/avpacket.c and libavfilter/tests/formats.c.
> 
> If code coverage does not improve, what would be the reason for FFmpeg to
> include the code ?

Thank your reply. 
My fuzzing targets call the new API interfaces, which are not used by the existing fuzzing target. Though I don’t do the related experiment, code coverage should improve. 

> 
> Thanks
> 
> [...]
> -- 
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> 
> Republics decline into democracies and democracies degenerate into
> despotisms. -- Aristotle
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer April 22, 2021, 10:53 a.m. UTC | #5 
On Thu, Apr 22, 2021 at 04:13:56PM +0800, Heng Zhang wrote:
> 
> 
> > 在 2021年4月20日,下午7:12,Michael Niedermayer <michael@niedermayer.cc> 写道:
> > 
> > On Tue, Apr 20, 2021 at 12:34:13PM +0800, Heng Zhang wrote:
> >> 
> >> 
> >>> 在 2021年4月19日,下午5:47,Michael Niedermayer <michael@niedermayer.cc> 写道:
> >>> 
> >>> On Mon, Apr 19, 2021 at 05:06:10PM +0800, a397341575@163.com <mailto:a397341575@163.com> wrote:
> >>>> From: toseven <Byone.heng@gmail.com>
> > [...]
> >>>> +    if (ret < 0)
> >>>> +    {
> >>>> +        fprintf(stderr, "Error occurred in av_packet_add_side_data: %s\n",
> >>>> +        av_err2str(ret));
> >>>> +    }
> >>>> +    return ret;
> >>> 
> >>> the { } placing style mismatches whats used in FFmpeg (i dont mind but some people do mind)
> >>> 
> >>> more general, how much code coverage is gained with these 2 fuzzers compared to what already exists ?
> >>> 
> >>> thanks
> >> 
> >> Okay, I will modify my style to adopt for FFmpeg. What is more, I didn’t compare the code coverage between them. Do I have to do this?  I mainly refer to the fate test from libavcodec/tests/avpacket.c and libavfilter/tests/formats.c.
> > 
> > If code coverage does not improve, what would be the reason for FFmpeg to
> > include the code ?
> 
> Thank your reply. 
> My fuzzing targets call the new API interfaces, which are not used by the existing fuzzing target. Though I don’t do the related experiment, code coverage should improve. 

Current fuzzer coverage can be seen here:
https://storage.googleapis.com/oss-fuzz-coverage/ffmpeg/reports/20210420/linux/src/ffmpeg/report.html

You are adding 2 targets
target_avpacket_fuzzer:
this calls
av_packet_side_data_name, av_packet_add_side_data, av_packet_free, av_packet_clone, av_grow_packet, av_new_packet, av_packet_from_data, 
From these all but av_packet_clone and av_packet_side_data_name are covered already
av_packet_side_data_name() is called with a fixed argument in your code

target_formats_fuzzer:
this calls av_get_channel_layout_string, ff_parse_channel_layout
the first is already covered the second is in libavfilter
libavfilter needs to be fuzzed, such fuzzing would involve building
filter chains or networks based on fuzzer input.
A 2nd set of libavfilter fuzzers should similar to libavcodec fuzzers
generate 1 fuzzer generically for each avfilter similarly to how decoders
from libavcodec are fuzzed.
Such libavfilter fuzzers would then also test most functions within libavfilter

More generally about coverage.
If you where in my position what would you want for additional fuzzers ?
maximally increased coverage with mininmal effort ?
I belive this would be achieved with generic fuzzing of filters similar to how
decoders are fuzzed currently. But thats a bit bigger effort 

I see the gsoc page says connecting 2 fate tests to fuzzing can be used as
qualification task. 
For connecting such tests, the fate test and the fuzzer should use shared
code and not duplicate. One way that can work is that the fate test takes
some input and that input is fixed for fate but can change when used for fuzzing
again, the more coverage we can achieve with as little effort the better.
Basically dont be afraid to submit a small amount of code because in fact
i would be more impressed if you can connect fate test(s) with little code
to the fuzzer than with alot of code.

Thanks

[...]
Heng Zhang April 23, 2021, 4:57 a.m. UTC | #6 
> 在 2021年4月22日,下午6:53,Michael Niedermayer <michael@niedermayer.cc> 写道:
> 
> On Thu, Apr 22, 2021 at 04:13:56PM +0800, Heng Zhang wrote:
>> 
>> 
>>> 在 2021年4月20日,下午7:12,Michael Niedermayer <michael@niedermayer.cc> 写道:
>>> 
>>> On Tue, Apr 20, 2021 at 12:34:13PM +0800, Heng Zhang wrote:
>>>> 
>>>> 
>>>>> 在 2021年4月19日,下午5:47,Michael Niedermayer <michael@niedermayer.cc> 写道:
>>>>> 
>>>>> On Mon, Apr 19, 2021 at 05:06:10PM +0800, a397341575@163.com <mailto:a397341575@163.com> wrote:
>>>>>> From: toseven <Byone.heng@gmail.com>
>>> [...]
>>>>>> +    if (ret < 0)
>>>>>> +    {
>>>>>> +        fprintf(stderr, "Error occurred in av_packet_add_side_data: %s\n",
>>>>>> +        av_err2str(ret));
>>>>>> +    }
>>>>>> +    return ret;
>>>>> 
>>>>> the { } placing style mismatches whats used in FFmpeg (i dont mind but some people do mind)
>>>>> 
>>>>> more general, how much code coverage is gained with these 2 fuzzers compared to what already exists ?
>>>>> 
>>>>> thanks
>>>> 
>>>> Okay, I will modify my style to adopt for FFmpeg. What is more, I didn’t compare the code coverage between them. Do I have to do this?  I mainly refer to the fate test from libavcodec/tests/avpacket.c and libavfilter/tests/formats.c.
>>> 
>>> If code coverage does not improve, what would be the reason for FFmpeg to
>>> include the code ?
>> 
>> Thank your reply. 
>> My fuzzing targets call the new API interfaces, which are not used by the existing fuzzing target. Though I don’t do the related experiment, code coverage should improve. 
> 
> Current fuzzer coverage can be seen here:
> https://storage.googleapis.com/oss-fuzz-coverage/ffmpeg/reports/20210420/linux/src/ffmpeg/report.html <https://storage.googleapis.com/oss-fuzz-coverage/ffmpeg/reports/20210420/linux/src/ffmpeg/report.html>
> 
> You are adding 2 targets
> target_avpacket_fuzzer:
> this calls
> av_packet_side_data_name, av_packet_add_side_data, av_packet_free, av_packet_clone, av_grow_packet, av_new_packet, av_packet_from_data, 
> From these all but av_packet_clone and av_packet_side_data_name are covered already
> av_packet_side_data_name() is called with a fixed argument in your code
> 
> target_formats_fuzzer:
> this calls av_get_channel_layout_string, ff_parse_channel_layout
> the first is already covered the second is in libavfilter
> libavfilter needs to be fuzzed, such fuzzing would involve building
> filter chains or networks based on fuzzer input.
> A 2nd set of libavfilter fuzzers should similar to libavcodec fuzzers
> generate 1 fuzzer generically for each avfilter similarly to how decoders
> from libavcodec are fuzzed.
> Such libavfilter fuzzers would then also test most functions within libavfilter
> 
> More generally about coverage.
> If you where in my position what would you want for additional fuzzers ?
> maximally increased coverage with mininmal effort ?
> I belive this would be achieved with generic fuzzing of filters similar to how
> decoders are fuzzed currently. But thats a bit bigger effort 
> 
> I see the gsoc page says connecting 2 fate tests to fuzzing can be used as
> qualification task. 
> For connecting such tests, the fate test and the fuzzer should use shared
> code and not duplicate. One way that can work is that the fate test takes
> some input and that input is fixed for fate but can change when used for fuzzing
> again, the more coverage we can achieve with as little effort the better.
> Basically dont be afraid to submit a small amount of code because in fact
> i would be more impressed if you can connect fate test(s) with little code
> to the fuzzer than with alot of code.
> 
> Thanks

Thank you for your patient reply. I will carefully consider your comments and submit the code again according to your suggestions.
> 
> [...]
> -- 
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> 
> While the State exists there can be no freedom; when there is freedom there
> will be no State. -- Vladimir Lenin
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org <mailto:ffmpeg-devel@ffmpeg.org>
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org <mailto:ffmpeg-devel-request@ffmpeg.org> with subject "unsubscribe".
diff mbox series

Patch

diff --git a/Makefile b/Makefile
index 7e9d8b08c3..45509ab3b5 100644
--- a/Makefile
+++ b/Makefile
@@ -62,6 +62,11 @@  tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS)
 tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS)
 	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
 
+tools/target_avpacket_fuzzer$(EXESUF): tools/target_avpacket_fuzzer.o $(FF_DEP_LIBS)
+	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
+
+tools/target_formats_fuzzer$(EXESUF): tools/target_formats_fuzzer.o $(FF_DEP_LIBS)
+	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
 
 tools/enum_options$(EXESUF): ELIBS = $(FF_EXTRALIBS)
 tools/enum_options$(EXESUF): $(FF_DEP_LIBS)
diff --git a/tools/Makefile b/tools/Makefile
index 82baa8eadb..7ef720c8ba 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -17,6 +17,12 @@  tools/target_dem_fuzzer.o: tools/target_dem_fuzzer.c
 tools/target_io_dem_fuzzer.o: tools/target_dem_fuzzer.c
 	$(COMPILE_C) -DIO_FLAT=0
 
+tools/target_avpacket_fuzzer.o: tools/target_avpacket_fuzzer.c
+	$(COMPILE_C) 
+
+tools/target_avpacket_fuzzer.o: tools/target_formats_fuzzer.c
+	$(COMPILE_C) 
+
 OUTDIRS += tools
 
 clean::
diff --git a/tools/target_avpacket_fuzzer.c b/tools/target_avpacket_fuzzer.c
new file mode 100644
index 0000000000..e5e7b3d4c8
--- /dev/null
+++ b/tools/target_avpacket_fuzzer.c
@@ -0,0 +1,125 @@ 
+/*
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "libavcodec/avcodec.h"
+#include "libavutil/error.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+static int setup_side_data_entry(AVPacket *avpkt)
+{
+    const uint8_t *data_name = NULL;
+    int ret = 0, bytes;
+    uint8_t *extra_data = NULL;
+
+    /* get side_data_name string */
+    data_name = av_packet_side_data_name(AV_PKT_DATA_NEW_EXTRADATA);
+    
+    /* Allocate a memory bloc */
+    bytes = strlen(data_name);
+
+    if (!(extra_data = av_malloc(bytes)))
+    {
+        ret = AVERROR(ENOMEM);
+        fprintf(stderr, "Error occurred: %s\n", av_err2str(ret));
+        exit(1);
+    }
+
+    /* copy side_data_name to extra_data array */
+    memcpy(extra_data, data_name, bytes);
+
+    /* create side data for AVPacket */
+    ret = av_packet_add_side_data(avpkt, AV_PKT_DATA_NEW_EXTRADATA, extra_data,
+                                  bytes);
+    
+    if (ret < 0)
+    {
+        fprintf(stderr, "Error occurred in av_packet_add_side_data: %s\n",
+        av_err2str(ret));
+    }
+    return ret;
+}
+
+static int initializations(AVPacket *avpkt,const uint8_t *data, size_t size)
+{
+    int ret = 0;
+
+    /* set values for avpkt */
+    avpkt->pts = 17;
+    avpkt->dts = 2;
+    avpkt->data = (uint8_t *)data;
+    avpkt->size = size;
+    avpkt->flags = AV_PKT_FLAG_DISCARD;
+    avpkt->duration = 100;
+    avpkt->pos = 3;
+
+    ret = setup_side_data_entry(avpkt);
+
+    return ret;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) 
+{
+    AVPacket *avpkt = NULL;
+    AVPacket *avpkt_clone = NULL;
+
+    if(data==NULL || size ==0)
+        return 1;  
+
+    /* test av_packet_alloc */
+    avpkt = av_packet_alloc();
+    if (!avpkt)
+    {
+        av_log(NULL, AV_LOG_ERROR, "av_packet_alloc failed to allcoate AVPacket\n");
+        return 1;
+    }
+
+    int fuzz_size =  0;
+    memcpy(&fuzz_size,data,sizeof(int));
+
+    if (initializations(avpkt, data, size) < 0)
+    {
+        printf("failed to initialize variables\n");
+        av_packet_free(&avpkt);
+        return 1;
+    }
+    /* test av_packet_clone*/
+    avpkt_clone = av_packet_clone(avpkt);
+
+    if (!avpkt_clone)
+    {
+        av_log(NULL, AV_LOG_ERROR, "av_packet_clone failed to clone AVPacket\n");
+        return 1;
+    }
+
+    /*test api*/
+    av_grow_packet(avpkt_clone,fuzz_size);
+    av_new_packet(avpkt_clone, fuzz_size);
+    av_packet_from_data(avpkt_clone, avpkt_clone->data, fuzz_size);
+
+    /*clean up*/
+    av_packet_free(&avpkt_clone);
+    av_packet_free(&avpkt);
+
+    return 0;
+}
diff --git a/tools/target_formats_fuzzer.c b/tools/target_formats_fuzzer.c
new file mode 100644
index 0000000000..144abcd769
--- /dev/null
+++ b/tools/target_formats_fuzzer.c
@@ -0,0 +1,120 @@ 
+/*
+ * Copyright (c) 2007 Bobby Bingham
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "libavfilter/formats.c"
+
+#undef printf
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+const int64_t avfilter_all_channel_layouts[] = {
+    AV_CH_FRONT_CENTER,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY,
+    AV_CH_FRONT_CENTER|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_BACK_CENTER,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_BACK_CENTER,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_BACK_CENTER,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER,
+    AV_CH_FRONT_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_BACK_CENTER|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_BACK_CENTER|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_BACK_CENTER|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_BACK_LEFT|AV_CH_BACK_RIGHT|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_CENTER|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_LOW_FREQUENCY|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    AV_CH_FRONT_LEFT|AV_CH_FRONT_RIGHT|AV_CH_FRONT_CENTER|AV_CH_BACK_CENTER|AV_CH_SIDE_LEFT|AV_CH_SIDE_RIGHT|AV_CH_STEREO_LEFT|AV_CH_STEREO_RIGHT,
+    -1
+};
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    if(data==NULL | size<sizeof(int64_t))
+        return 1;
+
+    char buf[512];
+    int64_t cl = 0;
+    memcpy(&cl,data,sizeof(int64_t));
+    
+    av_get_channel_layout_string(buf, sizeof(buf), -1, cl);
+
+    for (int i = 0; i< size; i++) {
+        int64_t layout = -1;
+        int count = -1;
+        int ret;
+        ret = ff_parse_channel_layout(&layout, &count, data[i], NULL);
+
+        // printf ("%d = ff_parse_channel_layout(%016"PRIX64", %2d, %s);\n", ret ? -1 : 0, layout, count, teststrings[i]);
+    }
+
+    return 0;
+}