Message ID | 20191206225922.GN3089@michaelspb |
---|---|
State | New |
Headers | show |
On 12/6/2019 7:59 PM, Michael Niedermayer wrote: > On Fri, Dec 06, 2019 at 04:16:23PM -0300, James Almer wrote: >> This should increase coverage on some decoders by executing flushing code. >> >> Signed-off-by: James Almer <jamrial@gmail.com> >> --- >> tools/target_dec_fuzzer.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c >> index dcf47b0f4d..3c2f9125bb 100644 >> --- a/tools/target_dec_fuzzer.c >> +++ b/tools/target_dec_fuzzer.c >> @@ -256,6 +256,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { >> error("Failed memory allocation"); >> memcpy(parsepkt.data, last, data - last); >> parsepkt.flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY; >> + int flush = !!(keyframes & 4); >> keyframes = (keyframes >> 2) + (keyframes<<62); >> data += sizeof(fuzz_tag); >> last = data; >> @@ -289,6 +290,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { >> av_packet_move_ref(&avpkt, &parsepkt); >> } >> >> + if (avpkt.flags & AV_PKT_FLAG_KEY && flush) >> + avcodec_flush_buffers(ctx); >> + >> // Iterate through all data >> while (avpkt.size > 0 && it++ < maxiteration) { >> av_frame_unref(frame); > > This would call flush in a pattern locked onto the keyframe and discard flags. > Not sure if that could affect coverage > An alternative would be to use a seperate pattern for flush. (see patch below) > > That said, both these patches will disrupt existing test cases > > > commit 1a1f747a7afd181f6b763d4dca59cd848e7acb20 (HEAD -> master) > Author: Michael Niedermayer <michael@niedermayer.cc> > Date: Fri Dec 6 23:42:28 2019 +0100 > > tools/target_dec_fuzzer: Call avcodec_flush_buffers() in a fuzzer choosen pattern > > This should increase coverage > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c > index dcf47b0f4d..c11a11514c 100644 > --- a/tools/target_dec_fuzzer.c > +++ b/tools/target_dec_fuzzer.c > @@ -110,6 +110,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { > const AVPacket *avpkt) = NULL; > AVCodecParserContext *parser = NULL; > uint64_t keyframes = 0; > + uint64_t flushpattern = -1; > > > if (!c) { > @@ -210,6 +211,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { > ctx->block_align = bytestream2_get_le32(&gbc); > ctx->codec_tag = bytestream2_get_le32(&gbc); > keyframes = bytestream2_get_le64(&gbc); > + flushpattern = bytestream2_get_le64(&gbc); > > if (extradata_size < size) { > ctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); > @@ -289,6 +291,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { > av_packet_move_ref(&avpkt, &parsepkt); > } > > + if (!(flushpattern & 7)) > + avcodec_flush_buffers(ctx); > + flushpattern = (flushpattern >> 3) + (flushpattern<<61); > + > // Iterate through all data > while (avpkt.size > 0 && it++ < maxiteration) { > av_frame_unref(frame); LGTM.
diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index dcf47b0f4d..c11a11514c 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -110,6 +110,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { const AVPacket *avpkt) = NULL; AVCodecParserContext *parser = NULL; uint64_t keyframes = 0; + uint64_t flushpattern = -1; if (!c) { @@ -210,6 +211,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ctx->block_align = bytestream2_get_le32(&gbc); ctx->codec_tag = bytestream2_get_le32(&gbc); keyframes = bytestream2_get_le64(&gbc); + flushpattern = bytestream2_get_le64(&gbc); if (extradata_size < size) { ctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE); @@ -289,6 +291,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { av_packet_move_ref(&avpkt, &parsepkt); } + if (!(flushpattern & 7)) + avcodec_flush_buffers(ctx); + flushpattern = (flushpattern >> 3) + (flushpattern<<61); + // Iterate through all data while (avpkt.size > 0 && it++ < maxiteration) { av_frame_unref(frame);