diff mbox series

[FFmpeg-devel] tools/target_dec_fuzzer: add a custom get_buffer2() implementation

Message ID 20220531201223.422-1-jamrial@gmail.com
State New
Headers show
Series [FFmpeg-devel] tools/target_dec_fuzzer: add a custom get_buffer2() implementation | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/make_armv7_RPi4 success Make finished
andriy/make_fate_armv7_RPi4 success Make fate finished

Commit Message

James Almer May 31, 2022, 8:12 p.m. UTC 
Unlike avcodec_default_get_buffer2(), this version does not allocate more than
what the normal image helper functions consider should be allocated for a given
frame.
Since the get_buffer2() documentation does not require any kind of buffer
overallocation for any of the planes, this should help detect bugs in our DR1
decoders if they overread beyond the end of the buffer, simulating what some
library users might experience when they use their own custom get_buffer2()
implementations.

Signed-off-by: James Almer <jamrial@gmail.com>
---
Untested.

The get_buffer2() documentation does not enfore the usage of
avcodec_align_dimensions2(), only says it "should" be used for DR1 decoders.
I figure not using it would break a bunch of decoders, but i can't be sure.

And i did not bother writing a buffer pool for this. I assume it will not
affect performance to the point ossfuzz start reporting bogus timeouts.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 tools/target_dec_fuzzer.c | 50 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
diff mbox series

Patch

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 288aa63313..b951921265 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -104,6 +104,55 @@  const uint32_t maxiteration = 8096;
 
 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
 
+static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
+{
+    ptrdiff_t linesize1[4];
+    size_t size[4];
+    int linesize_align[AV_NUM_DATA_POINTERS];
+    int ret, w = frame->width, h = frame->height;
+
+    avcodec_align_dimensions2(ctx, &w, &h, linesize_align);
+    ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w);
+    if (ret < 0)
+        return ret;
+
+    for (int i = 0; i < 4; i++)
+        linesize1[i] = frame->linesize[i] =
+            FFALIGN(frame->linesize[i], linesize_align[i]);
+
+    ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1);
+    if (ret < 0)
+        goto fail;
+
+    for (int i = 0; i < 4; i++) {
+        frame->buf[i] = av_buffer_alloc(size[i]);
+        if (!frame->buf[i]) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
+        frame->data[i] = frame->buf[i]->data;
+    }
+
+fail:
+    if (ret < 0)
+        av_frame_unref(frame);
+    return ret;
+}
+
+static int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags)
+{
+    switch (ctx->codec_type) {
+    case AVMEDIA_TYPE_VIDEO:
+        return (ctx->codec->capabilities & AV_CODEC_CAP_DR1)
+               ? fuzz_video_get_buffer(ctx, frame)
+               : avcodec_default_get_buffer2(ctx, frame, flags);
+    case AVMEDIA_TYPE_AUDIO:
+        return avcodec_default_get_buffer2(ctx, frame, flags);
+    default:
+        return AVERROR(EINVAL);
+    }
+}
+
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     uint64_t maxpixels_per_frame = 4096 * 4096;
     uint64_t maxpixels;
@@ -241,6 +290,7 @@  int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
 
     ctx->max_samples = maxsamples_per_frame;
+    ctx->get_buffer2 = fuzz_get_buffer2;
 
     if (size > 1024) {
         GetByteContext gbc;