From patchwork Mon May 31 05:29:11 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vedaa <vedaa@riseup.net>
X-Patchwork-Id: 27990
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a6b:b214:0:0:0:0:0 with SMTP id b20csp2574089iof;
        Sun, 30 May 2021 22:29:47 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJzkfLxcYbh8NQQLx0RYR1839I3q7HWyl9JdDvCdW6pRnUI+TRB3ZTHpxiaD/zD8TGRQuyY7
X-Received: by 2002:a50:9e63:: with SMTP id
 z90mr23416142ede.342.1622438987475;
        Sun, 30 May 2021 22:29:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622438987; cv=none;
        d=google.com; s=arc-20160816;
        b=zYAZ5r5Y4+lx2oIqrHKeYLlcNSaWwb2mfW75/EBheBB/633br3YiweH4xPfwAwNkCz
         lkEQD02N4NRGkNPARP5xzViyaVri5j+v2zOmRazqoUhMLGftjxIotm19LzD0w4XM5X/0
         zrBpJAPtpBY5KTtIXyZIzX9nxmQNObsq9jJN75/+4PAiyXYNt5glXCtk4cm4kIEqmTiZ
         DzVVSEoD5wjNW1D/FJDq4HtcHc2FnkrltyFhwCbmvfwe6iBzkpWsHQxii1+WsMS6FNoD
         Fbk70AA4aS4n5v2ue82JuqWjfhrrKRUqFUYC8j8Gpq0sbpbgkOvBtnVhzOhpBiy86Mmm
         hc3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=xk2EC7NSnLgllip843M5goioqJHyt2mOGg+3DPRUUOE=;
        b=bL9sSCFJWJIrDTbIOUIeVYAoJDAeujUq+xsxH2PLMSivjdSOYEqSL5FckluQt1AErs
         fhn5YOjpROfe9AWnWX4uLTYRdQmpLF7mSVh29zf/kCP6BNYJs5hv9Hdb4EBQ3OuYD1Bi
         wA6hoCpof9RuCeFecWM8Jj2OBGHwdwysv/t4EWqiMsSmTpaSiZD+OWHoSXalvAGTPPlq
         FiXei1exBmwKRlh5zYZK8UKQlSLhBOfpgbhQaZezpAwRlgbepEbBJ10GSnRJ/6QvSYb9
         79e1HDNr4m3WR8PONLKP1MNO2NA7CTFuK7YVci2IPRJxAYeiDI5IpdURX6S2aZTO9Mq+
         Am4w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@riseup.net
 header.s=squak header.b="MT/7Uzkv";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=riseup.net
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 f11si11380714edc.302.2021.05.30.22.29.46;
        Sun, 30 May 2021 22:29:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@riseup.net
 header.s=squak header.b="MT/7Uzkv";
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=riseup.net
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7A66568057F;
	Mon, 31 May 2021 08:29:42 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 063E86801E6
 for <ffmpeg-devel@ffmpeg.org>; Mon, 31 May 2021 08:29:35 +0300 (EEST)
Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 4FtkPT4zwgzDrhg
 for <ffmpeg-devel@ffmpeg.org>; Sun, 30 May 2021 22:29:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1622438973; bh=cVHYoNtl8NFCnPeYtx4+6QjpKMb4lghDvAPYeTJvhiU=;
 h=From:To:Subject:Date:In-Reply-To:References:From;
 b=MT/7UzkvHGDo+xgh2V1E1Fd/b4S8+jGYKxmJncoAceiNAe64j2723DPBApFU+pQpI
 3+cVtPJsfC/gTglXtIM/L3f170D3Kew7LwFqZP/9gq1YmGQ9HN813KO7IdJGN2ZOYu
 pv/T9Wf1h23p/M0ujiIluCqb/c8LVBNjzYpehiuM=
X-Riseup-User-ID: 
 B89B1EF1E37FA563A17B534B36E82EDC0B80924A3356EE234F82B3D360BBD406
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by fews1.riseup.net (Postfix) with ESMTPSA id 4FtkPS4h32z5vS1
 for <ffmpeg-devel@ffmpeg.org>; Sun, 30 May 2021 22:29:32 -0700 (PDT)
From: Vedaa <vedaa@riseup.net>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 31 May 2021 10:59:11 +0530
Message-Id: <20210531052911.44543-1-vedaa@riseup.net>
In-Reply-To: <20210518213825.GS4777@pb2>
References: <20210518213825.GS4777@pb2>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCHv6] fate/integer.c: Connect test to fuzzer
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 0+q8Z5sDwQln

Hi,

I have added checks so that only positive numbers are passed to the
function, and limited the bits read to 24-bits. This has stopped the
fuzzer from terminating.
---
 Makefile                  |  2 ++
 libavutil/tests/integer.c | 21 ++----------------
 libavutil/tests/integer.h | 45 +++++++++++++++++++++++++++++++++++++++
 tools/Makefile            |  3 +++
 tools/target_int_fuzzer.c | 38 +++++++++++++++++++++++++++++++++
 5 files changed, 90 insertions(+), 19 deletions(-)
 create mode 100644 libavutil/tests/integer.h
 create mode 100644 tools/target_int_fuzzer.c

diff --git a/Makefile b/Makefile
index 1e3da6271b..651133eb1a 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,8 @@ tools/target_dem_fuzzer$(EXESUF): tools/target_dem_fuzzer.o $(FF_DEP_LIBS)
 tools/target_io_dem_fuzzer$(EXESUF): tools/target_io_dem_fuzzer.o $(FF_DEP_LIBS)
 	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
 
+tools/target_int_fuzzer$(EXESUF): tools/target_int_fuzzer.o $(FF_DEP_LIBS)
+	$(LD) $(LDFLAGS) $(LDEXEFLAGS) $(LD_O) $^ $(ELIBS) $(FF_EXTRALIBS) $(LIBFUZZER_PATH)
 
 tools/enum_options$(EXESUF): ELIBS = $(FF_EXTRALIBS)
 tools/enum_options$(EXESUF): $(FF_DEP_LIBS)
diff --git a/libavutil/tests/integer.c b/libavutil/tests/integer.c
index d2c8f2a903..02e1d9219c 100644
--- a/libavutil/tests/integer.c
+++ b/libavutil/tests/integer.c
@@ -18,31 +18,14 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
-#include <stdint.h>
-
-#include "libavutil/avassert.h"
-#include "libavutil/integer.h"
-#include "libavutil/intmath.h"
+#include "libavutil/tests/integer.h"
 
 int main(void){
     int64_t a,b;
 
     for(a=7; a<256*256*256; a+=13215){
         for(b=3; b<256*256*256; b+=27118){
-            AVInteger ai= av_int2i(a);
-            AVInteger bi= av_int2i(b);
-
-            av_assert0(av_i2int(ai) == a);
-            av_assert0(av_i2int(bi) == b);
-            av_assert0(av_i2int(av_add_i(ai,bi)) == a+b);
-            av_assert0(av_i2int(av_sub_i(ai,bi)) == a-b);
-            av_assert0(av_i2int(av_mul_i(ai,bi)) == a*b);
-            av_assert0(av_i2int(av_shr_i(ai, 9)) == a>>9);
-            av_assert0(av_i2int(av_shr_i(ai,-9)) == a<<9);
-            av_assert0(av_i2int(av_shr_i(ai, 17)) == a>>17);
-            av_assert0(av_i2int(av_shr_i(ai,-17)) == a<<17);
-            av_assert0(av_log2_i(ai) == av_log2(a));
-            av_assert0(av_i2int(av_div_i(ai,bi)) == a/b);
+            TestInteger(a,b);
         }
     }
     return 0;
diff --git a/libavutil/tests/integer.h b/libavutil/tests/integer.h
new file mode 100644
index 0000000000..1e28c29787
--- /dev/null
+++ b/libavutil/tests/integer.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2004 Michael Niedermayer <michaelni@gmx.at>
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+#ifndef AVUTIL_TESTS_INTEGER_H
+#define AVUTIL_TESTS_INTEGER_H
+
+#include <stdint.h>
+#include "libavutil/avassert.h"
+#include "libavutil/integer.h"
+#include "libavutil/intmath.h"
+
+static inline void TestInteger(int64_t a, int64_t b)
+{
+        AVInteger ai= av_int2i(a);
+        AVInteger bi= av_int2i(b);
+
+        av_assert0(av_i2int(ai) == a);
+        av_assert0(av_i2int(bi) == b);
+        av_assert0(av_i2int(av_add_i(ai,bi)) == a+b);
+        av_assert0(av_i2int(av_sub_i(ai,bi)) == a-b);
+        av_assert0(av_i2int(av_mul_i(ai,bi)) == a*b);
+        av_assert0(av_i2int(av_shr_i(ai, 9)) == a>>9);
+        av_assert0(av_i2int(av_shr_i(ai,-9)) == a<<9);
+        av_assert0(av_i2int(av_shr_i(ai, 17)) == a>>17);
+        av_assert0(av_i2int(av_shr_i(ai,-17)) == a<<17);
+        av_assert0(av_log2_i(ai) == av_log2(a));
+        av_assert0(av_i2int(av_div_i(ai,bi)) == a/b);
+}
+#endif /* AVUTIL_TESTS_INTEGER_H */
diff --git a/tools/Makefile b/tools/Makefile
index 82baa8eadb..fde7f08984 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -17,6 +17,9 @@ tools/target_dem_fuzzer.o: tools/target_dem_fuzzer.c
 tools/target_io_dem_fuzzer.o: tools/target_dem_fuzzer.c
 	$(COMPILE_C) -DIO_FLAT=0
 
+tools/target_int_fuzzer.o: tools/target_int_fuzzer.c
+	$(COMPILE_C)
+
 OUTDIRS += tools
 
 clean::
diff --git a/tools/target_int_fuzzer.c b/tools/target_int_fuzzer.c
new file mode 100644
index 0000000000..f2ec52bb0a
--- /dev/null
+++ b/tools/target_int_fuzzer.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2021 Vedaa <vedaa@riseup.net>
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "libavutil/tests/integer.h"
+#include "libavutil/intreadwrite.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 3 * sizeof(int16_t))
+        return 1;
+
+    int64_t a,b,mult;
+    mult = AV_RB8(data);
+    a = AV_RB16(data + sizeof(int8_t)) * mult;
+    b = AV_RB16(data+sizeof(int8_t) + sizeof(int16_t)) * mult;
+    if (a <= 0 || b <= 0 )
+        return 1;
+    TestInteger(a,b);
+    return 0;
+}