[FFmpeg-devel] tools/target_dec_fuzzer: Limit error concealment to max_pixels

Submitted by Michael Niedermayer on Nov. 20, 2017, 5:25 p.m.

Details

Message ID 20171120172551.7781-1-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Nov. 20, 2017, 5:25 p.m.
Error concealment is time consuming, limiting it in a pixel dependant way allows
the decoder to be fuzzed with more frames quicker

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 tools/target_dec_fuzzer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Kieran Kunhya Nov. 20, 2017, 6:30 p.m.
>
> On Mon, 20 Nov 2017 at 17:26 Michael Niedermayer <michael@niedermayer.cc>
> wrote:
> Error concealment is time consuming, limiting it in a pixel dependant way
> allows
> the decoder to be fuzzed with more frames quicker
>

How is this a reasonable fix considering you have submitted numerous
patches to fix "long-running" loops?
Surely it's a bug that people can craft streams that cause error resilience
to lock up the machine.
Kieran
Michael Niedermayer Nov. 20, 2017, 7:33 p.m.
On Mon, Nov 20, 2017 at 06:30:28PM +0000, Kieran Kunhya wrote:
> >
> > On Mon, 20 Nov 2017 at 17:26 Michael Niedermayer <michael@niedermayer.cc>
> > wrote:
> > Error concealment is time consuming, limiting it in a pixel dependant way
> > allows
> > the decoder to be fuzzed with more frames quicker
> >
> 
> How is this a reasonable fix considering you have submitted numerous
> patches to fix "long-running" loops?

Iam not sure i understand, i think we misundestand each other here
somehow

the fuzzer tests many random pieces of data, and if on average one
takes 10 secs it tests half as many as if one takes 5sec on average

So making te fuzzer spend less time on the most timeconsuming part
of the code means more fuzzing per same cpu time.

Or said differently if decoding takes an average of lets say 10 ms
per frame and error concealment of a frame takes 100ms on average
if we cut down the amount of cases that do concealment we increase
the number of frames we can fuzz by more than we reduce the number of
error concealment cases.
At least that is the idea


> Surely it's a bug that people can craft streams that cause error resilience
> to lock up the machine.

yes, absolutely

[...]

Patch hide | download patch | download mbox

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 62d62a9de3..04f95561cc 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -211,7 +211,7 @@  int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
             av_frame_unref(frame);
             int ret = decode_handler(ctx, frame, &got_frame, &avpkt);
 
-            if (it > 20)
+            if (it > 20 || it * ctx->width * ctx->height > ctx->max_pixels)
                 ctx->error_concealment = 0;
 
             if (ret <= 0 || ret > avpkt.size)