| Message ID | 20171120172551.7781-1-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
> > On Mon, 20 Nov 2017 at 17:26 Michael Niedermayer <michael@niedermayer.cc> > wrote: > Error concealment is time consuming, limiting it in a pixel dependant way > allows > the decoder to be fuzzed with more frames quicker > How is this a reasonable fix considering you have submitted numerous patches to fix "long-running" loops? Surely it's a bug that people can craft streams that cause error resilience to lock up the machine. Kieran
On Mon, Nov 20, 2017 at 06:30:28PM +0000, Kieran Kunhya wrote: > > > > On Mon, 20 Nov 2017 at 17:26 Michael Niedermayer <michael@niedermayer.cc> > > wrote: > > Error concealment is time consuming, limiting it in a pixel dependant way > > allows > > the decoder to be fuzzed with more frames quicker > > > > How is this a reasonable fix considering you have submitted numerous > patches to fix "long-running" loops? Iam not sure i understand, i think we misundestand each other here somehow the fuzzer tests many random pieces of data, and if on average one takes 10 secs it tests half as many as if one takes 5sec on average So making te fuzzer spend less time on the most timeconsuming part of the code means more fuzzing per same cpu time. Or said differently if decoding takes an average of lets say 10 ms per frame and error concealment of a frame takes 100ms on average if we cut down the amount of cases that do concealment we increase the number of frames we can fuzz by more than we reduce the number of error concealment cases. At least that is the idea > Surely it's a bug that people can craft streams that cause error resilience > to lock up the machine. yes, absolutely [...]
diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 62d62a9de3..04f95561cc 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -211,7 +211,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { av_frame_unref(frame); int ret = decode_handler(ctx, frame, &got_frame, &avpkt); - if (it > 20) + if (it > 20 || it * ctx->width * ctx->height > ctx->max_pixels) ctx->error_concealment = 0; if (ret <= 0 || ret > avpkt.size)
Error concealment is time consuming, limiting it in a pixel dependant way allows the decoder to be fuzzed with more frames quicker Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- tools/target_dec_fuzzer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)