From patchwork Tue May 31 20:12:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Almer X-Patchwork-Id: 36015 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:6914:b0:82:6b11:2509 with SMTP id q20csp3029462pzj; Tue, 31 May 2022 13:12:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMCC7a02NkHgjGWbp5OkmN2XO4yy1FzzJ59GNuZ5fbtxKxDaV3HC7LjavBR8arXH/UQGhe X-Received: by 2002:a05:6402:4412:b0:42b:a784:3dd2 with SMTP id y18-20020a056402441200b0042ba7843dd2mr38880456eda.162.1654027968575; Tue, 31 May 2022 13:12:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654027968; cv=none; d=google.com; s=arc-20160816; b=e5Nf7CAnaCkeKAaGs+LC2ALldNGSy2ACYhKrPwL9X0K+A6awu0zcVKSIYgJXGU3pe9 2NYORiibikAp4Kla2Q3rXEExTfK7BrXsPuLdVKdXcuW495uplYYHcu3lzvLegUUM9xuv xu9ySn0hlW3EQPuB26SDI+DUeCdyvIDxc9TRZoCsLnFRIkPGWnOoo1coAGesPhg35fqw mEeky2JCPC9IFIWd9xgVxxtMGZ01wEcgG4hoiz6HtLeNQO7PPDMUNYxRZSOCKpvJWvEE EXp24bQ87cQU+nVCYpkmZQdspben0DZ2RvuCL7a7JK6ChMpnTkciA3IiS4k79W/gMavy 8eBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=hXz10xQ7QWV2KcYo0Z9kQAvESW9tg/+bfr/2AErEnM0=; b=NAhGgigp+cY2l0fQL+6EAb3Zl9oIUnl/aQKRbKuIXideZRuu/EOOo2QwqscmczES49 OD11/SGu9Jj1EdfZYgozkjxj+8lY1BqjRBWJR5axizfukV6zRV3jHMd830rXzVFZvJIP GlfnnXOt+E0nb2UtvZFjECJmOAXEvwQ6mreciYvuanqoRd8OubslS9bef41XzlvRhnBu SGmOU99MLGN3O/6XDCi2RwmCSr++a6r0El3cp8ajTc0nbtZwpNrgnz77q413uQM7F2F6 +9WnYfcNsk7nZreOXGKUulPD547Ef/2ypVNQPo8Awcfcczv0XDqPah4ssAbmj2DesmsD 0/Dg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=PZP7YV9s; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id mx11-20020a1709065a0b00b006f448225497si10660541ejc.672.2022.05.31.13.12.47; Tue, 31 May 2022 13:12:48 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=PZP7YV9s; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id EABD668B6BE; Tue, 31 May 2022 23:12:44 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com [209.85.167.169]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6D60D68B680 for ; Tue, 31 May 2022 23:12:37 +0300 (EEST) Received: by mail-oi1-f169.google.com with SMTP id y131so11414242oia.6 for ; Tue, 31 May 2022 13:12:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=6rAHZMnWaN5knG8KA9s4ql9Vj/G3I7YtROR3Nji6gTI=; b=PZP7YV9siY3JJQXBWR0SEYc3etO9ku+f71q0sDUdmEEAFEOHlAXFfv9HDW9wgJZCdC MFW4GU73KLvEcxllwmnnFCzIH+F3Bdz2/hd1yYgcrLeIJWbo8JfAgeeo8fgMPmOdhLFi k0M42sYEf2z2WDo4FwLJHac0N2vxnBj/TUsIZDDZ3AsNr2frCBX8cOeCRUgP4Gk7J4Wm KFJrYjDFbgIXBfA0Fac/LeCh5ynQazLtXiFC0OvgxD7THW3p/jRwJ8LGVgFBW7IygP4F zbYaHgAzm/Dh/X4i70EN/Gy66IYjXRF7bhYzFGPM0TkMMLW2MVTQjvCDWE6Ep4mjtPOk 7OBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=6rAHZMnWaN5knG8KA9s4ql9Vj/G3I7YtROR3Nji6gTI=; b=ejZMMNLifSVdGXEHhwReiA/q4ZyhyhfWUjsQM1ray0rJ4ntMLJLIGuMa7PKlmR4s+5 ZHrY7nz3N/E3YZbwiB3jpTNIm9k9UjXQzY/XmdKd9Amsl5KSEg8dBoxkh7J2SCVowvJS nPp69V9G6x17BOay0Y8GPKW3gr6zXUbkWqMKSE0rquoAvhwbzHDWYFeLU+Z1hbDh+bbu d/h37l8OcjqCmyPx83QBmZ/jD4p8vKSCQvacJcWV5+P+KsLt/7xPo9s8mSdDafgIjaDk 3TIuqeVVP5GJElHFRKY0t3/yChfPskO7sJpIPmF1TlSc/aQEpbm+UmtYaUUDUiUkM2fE gAqg== X-Gm-Message-State: AOAM532XsvPTKUHWU9W9xlk3ET3XIrEsCkOeu+/cigOqfAaAFXl+Oxb6 oIa8aUKP4faJnqJUgVWMpekGtznWk6U= X-Received: by 2002:a05:6808:1315:b0:32c:3e3e:c2d7 with SMTP id y21-20020a056808131500b0032c3e3ec2d7mr4075696oiv.299.1654027954798; Tue, 31 May 2022 13:12:34 -0700 (PDT) Received: from localhost.localdomain ([186.136.131.204]) by smtp.gmail.com with ESMTPSA id m1-20020a9d6081000000b0060b128b935csm6623851otj.39.2022.05.31.13.12.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 31 May 2022 13:12:34 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Tue, 31 May 2022 17:12:23 -0300 Message-Id: <20220531201223.422-1-jamrial@gmail.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] tools/target_dec_fuzzer: add a custom get_buffer2() implementation X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: 4nc722WVTRWL Unlike avcodec_default_get_buffer2(), this version does not allocate more than what the normal image helper functions consider should be allocated for a given frame. Since the get_buffer2() documentation does not require any kind of buffer overallocation for any of the planes, this should help detect bugs in our DR1 decoders if they overread beyond the end of the buffer, simulating what some library users might experience when they use their own custom get_buffer2() implementations. Signed-off-by: James Almer --- Untested. The get_buffer2() documentation does not enfore the usage of avcodec_align_dimensions2(), only says it "should" be used for DR1 decoders. I figure not using it would break a bunch of decoders, but i can't be sure. And i did not bother writing a buffer pool for this. I assume it will not affect performance to the point ossfuzz start reporting bogus timeouts. Signed-off-by: James Almer --- tools/target_dec_fuzzer.c | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c index 288aa63313..b951921265 100644 --- a/tools/target_dec_fuzzer.c +++ b/tools/target_dec_fuzzer.c @@ -104,6 +104,55 @@ const uint32_t maxiteration = 8096; static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL; +static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame) +{ + ptrdiff_t linesize1[4]; + size_t size[4]; + int linesize_align[AV_NUM_DATA_POINTERS]; + int ret, w = frame->width, h = frame->height; + + avcodec_align_dimensions2(ctx, &w, &h, linesize_align); + ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w); + if (ret < 0) + return ret; + + for (int i = 0; i < 4; i++) + linesize1[i] = frame->linesize[i] = + FFALIGN(frame->linesize[i], linesize_align[i]); + + ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1); + if (ret < 0) + goto fail; + + for (int i = 0; i < 4; i++) { + frame->buf[i] = av_buffer_alloc(size[i]); + if (!frame->buf[i]) { + ret = AVERROR(ENOMEM); + goto fail; + } + frame->data[i] = frame->buf[i]->data; + } + +fail: + if (ret < 0) + av_frame_unref(frame); + return ret; +} + +static int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags) +{ + switch (ctx->codec_type) { + case AVMEDIA_TYPE_VIDEO: + return (ctx->codec->capabilities & AV_CODEC_CAP_DR1) + ? fuzz_video_get_buffer(ctx, frame) + : avcodec_default_get_buffer2(ctx, frame, flags); + case AVMEDIA_TYPE_AUDIO: + return avcodec_default_get_buffer2(ctx, frame, flags); + default: + return AVERROR(EINVAL); + } +} + int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { uint64_t maxpixels_per_frame = 4096 * 4096; uint64_t maxpixels; @@ -241,6 +290,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs ctx->max_samples = maxsamples_per_frame; + ctx->get_buffer2 = fuzz_get_buffer2; if (size > 1024) { GetByteContext gbc;