From patchwork Tue May 31 20:42:10 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Almer <jamrial@gmail.com>
X-Patchwork-Id: 36016
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:6914:b0:82:6b11:2509 with SMTP id q20csp3040917pzj;
        Tue, 31 May 2022 13:42:36 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJyqfhsPUFQ58NqznT5XS/6egDVpNOFwLaxUgjPEtRuaZtabGJoaCYUKkml7UV867eBFLS0v
X-Received: by 2002:a05:6402:350a:b0:42d:d605:36eb with SMTP id
 b10-20020a056402350a00b0042dd60536ebmr10457235edd.99.1654029756091;
        Tue, 31 May 2022 13:42:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654029756; cv=none;
        d=google.com; s=arc-20160816;
        b=rz9NGHZYm5IZgUWC8eqj3s2WVYO6cW1ndS8GJ0hok5tTNBuH43/MdWtbBT1BOR1utP
         NCjfbXkl46ukeZNvyAF5p+QKnP8tlDSLcm17aBPLn/Vma6lr8F/JP2+BJhHY7ZPyrBD2
         5R8DEQQ/xwtpK69fgPKdndzlTkrKbKp/S671lmXO5LPm4qMYqhLlEBawS62dHYLbJ553
         hAsCwcMwRyGkOMkEN+moCbP+FACn+JBKK9uQDiv+RYqqe9iZOqwUXyNkp3DrS9IOglrX
         6ZrqqtOTTHEDCvWsJGEiCUBZsmMiIWeAhJecRs9/5MG9iWq55PYraUdHiU02DnkgUZNY
         tVcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe
         :list-help:list-post:list-archive:list-unsubscribe:list-id
         :precedence:subject:mime-version:references:in-reply-to:message-id
         :date:to:from:dkim-signature:delivered-to;
        bh=rba6n8fi/8dY+ev+U52X9aVZhntBKxsSPvbL9iTIrSY=;
        b=HB+cll55FB5kj7Ko3RcUlOWu8gyGkBishrZfJ9V91dNqoLiHeST4x/+WnkydvgBGsy
         DqOF6YFShrVcVGR7MgG3W2gZZvDAoqgIvwQPvHEs7xVuLdMA7SW4br21uIIXZAlA6Vnj
         Y1r955BUOAlZVJTRJqKyiOMVk7dStZWbhgFhqSCw2x7XLG/yNRa+qPtvAqjn5nxJlobo
         EnMCCzbwG8yfakblQOxb8CVYyPrBNkskrt8KibNU8ew4SI6nD876E+9CPb6c7u0C+BbR
         t2IK0B3ot+j7e3UXhkNWh0m8bePvK7/Om0Q8Q4/RfS2jRPxn9XQPQLY3OyalJjuY0kVM
         pUjQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=EChK+WST;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 nc4-20020a1709071c0400b006ff0be2fe87si16038443ejc.970.2022.05.31.13.42.35;
        Tue, 31 May 2022 13:42:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20210112 header.b=EChK+WST;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2871A68B6C7;
	Tue, 31 May 2022 23:42:32 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-oa1-f51.google.com (mail-oa1-f51.google.com
 [209.85.160.51])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4660768B680
 for <ffmpeg-devel@ffmpeg.org>; Tue, 31 May 2022 23:42:25 +0300 (EEST)
Received: by mail-oa1-f51.google.com with SMTP id
 586e51a60fabf-e93bbb54f9so19909376fac.12
 for <ffmpeg-devel@ffmpeg.org>; Tue, 31 May 2022 13:42:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:subject:date:message-id:in-reply-to:references:mime-version
 :content-transfer-encoding;
 bh=LP5Lb5xsOm2I6hB7gyITXtpMfJ0AklB2fBmEVqvGtKM=;
 b=EChK+WSTEQt4redu5WMKmyfuyxskCy0nS1ELFdGmyVIldwpMOLXxznadgfGJcRowni
 CUqzd+tVXTGS6+MdMLKi4PFAs7PQvP6aB8hDzsZKvRJSr0yTGEViYMQFGkW4CL84IjqL
 29IMLiYb5b/mZBtqnhsMhGe9gBk/C3ScxaHl1Ihx89I49PmK2ibY7sgoO5K5i14UHOD6
 ZLakQGThZNcef1UjlXN6dhhQ4HQRMrN2pJketTPZMMmZw7tewzJFyDZKTZex2Qo9fgnX
 u68xqpNndFbsO1c86ZDSq7GUAJIWCZ42i4+7XauVT3HttMA1ZFIIM2ZCi3uPn7ZXX5Xt
 59og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=LP5Lb5xsOm2I6hB7gyITXtpMfJ0AklB2fBmEVqvGtKM=;
 b=YrBPJiddiqq18mTM/F4nl7qekmTwf4f4KPS1obEYWRSWiF3q5o/QbcVdFQRSHl5kq3
 A/+FD1P9CTy4ZNNuWXRt5bn9KYRpPb8OSlmrYZKtyjg/PV11c8gGEs2+hJOAz0TYZX5v
 UEV1B4AbTCW9ot5688OmLFB4DxG8fZZVRWyGCXETyXXC2KzXtE5Vj2fi07AVlySRWirQ
 XqnKv11aBucGtUO5wB67fR1jwNWsGGLKx+/5eRRIOOmFPT2lgkt+sAkwPiOHa+KnWHBX
 Tkr+l5mUJ9f8S+Qf5pl54q0liQDiy8gt6lybVOKmDDyXre7yzMAEVyB4+LQiZ80COaiD
 eAWA==
X-Gm-Message-State: AOAM5313z9KfOZCVmDbTzJ86gRT1nse1GxtcbkUch7kiW17aYUbNptG4
 vU6xvnUC5me3lZo5rQ0/apxeuebSCZQ=
X-Received: by 2002:a05:6870:4620:b0:f2:5d2b:996e with SMTP id
 z32-20020a056870462000b000f25d2b996emr15075538oao.68.1654029743357;
 Tue, 31 May 2022 13:42:23 -0700 (PDT)
Received: from localhost.localdomain ([186.136.131.204])
 by smtp.gmail.com with ESMTPSA id
 h16-20020a056830035000b0060b2972b503sm6676423ote.64.2022.05.31.13.42.21
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 31 May 2022 13:42:22 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Tue, 31 May 2022 17:42:10 -0300
Message-Id: <20220531204210.454-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220531201223.422-1-jamrial@gmail.com>
References: <20220531201223.422-1-jamrial@gmail.com>
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH v2] tools/target_dec_fuzzer: add a custom
 get_buffer2() implementation
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: mUK7CuY2Io5M

Unlike avcodec_default_get_buffer2(), this version does not allocate more than
what the normal image helper functions consider should be allocated for a given
frame.
Since the get_buffer2() documentation does not require any kind of buffer
overallocation for any of the planes, this should help detect bugs in our DR1
decoders if they overread beyond the end of the buffer, simulating what some
library users might experience when they use their own custom get_buffer2()
implementations.

Signed-off-by: James Almer <jamrial@gmail.com>
---
Now making sure to not allocate more plane buffers than needed.

 tools/target_dec_fuzzer.c | 52 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 288aa63313..2e43ed3d88 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -104,6 +104,57 @@ const uint32_t maxiteration = 8096;
 
 static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
 
+static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
+{
+    ptrdiff_t linesize1[4];
+    size_t size[4];
+    int linesize_align[AV_NUM_DATA_POINTERS];
+    int ret, w = frame->width, h = frame->height;
+
+    avcodec_align_dimensions2(ctx, &w, &h, linesize_align);
+    ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w);
+    if (ret < 0)
+        return ret;
+
+    for (int i = 0; i < 4; i++)
+        linesize1[i] = frame->linesize[i] =
+            FFALIGN(frame->linesize[i], linesize_align[i]);
+
+    ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1);
+    if (ret < 0)
+        goto fail;
+
+    for (int i = 0; i < 4; i++) {
+        if (!size[i])
+            break;
+        frame->buf[i] = av_buffer_alloc(size[i]);
+        if (!frame->buf[i]) {
+            ret = AVERROR(ENOMEM);
+            goto fail;
+        }
+        frame->data[i] = frame->buf[i]->data;
+    }
+
+fail:
+    if (ret < 0)
+        av_frame_unref(frame);
+    return ret;
+}
+
+static int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags)
+{
+    switch (ctx->codec_type) {
+    case AVMEDIA_TYPE_VIDEO:
+        return (ctx->codec->capabilities & AV_CODEC_CAP_DR1)
+               ? fuzz_video_get_buffer(ctx, frame)
+               : avcodec_default_get_buffer2(ctx, frame, flags);
+    case AVMEDIA_TYPE_AUDIO:
+        return avcodec_default_get_buffer2(ctx, frame, flags);
+    default:
+        return AVERROR(EINVAL);
+    }
+}
+
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     uint64_t maxpixels_per_frame = 4096 * 4096;
     uint64_t maxpixels;
@@ -241,6 +292,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
 
     ctx->max_samples = maxsamples_per_frame;
+    ctx->get_buffer2 = fuzz_get_buffer2;
 
     if (size > 1024) {
         GetByteContext gbc;