falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
101790 Commits
32 Branches
299MB
Branch: n4.4-jackoutdev
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'n4.4-jackoutdev'
${ noResults }
FFmpeg/tools/target_bsf_fuzzer.c

175 lines
5.9KB
Raw Permalink Blame History 

  1. /*

  2.  * This file is part of FFmpeg.

  3.  *

  4.  * FFmpeg is free software; you can redistribute it and/or

  5.  * modify it under the terms of the GNU Lesser General Public

  6.  * License as published by the Free Software Foundation; either

  7.  * version 2.1 of the License, or (at your option) any later version.

  8.  *

  9.  * FFmpeg is distributed in the hope that it will be useful,

  10.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  12.  * Lesser General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU Lesser General Public

  15.  * License along with FFmpeg; if not, write to the Free Software

  16.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

  17.  */

  18. 

  19. #include "config.h"

  20. #include "libavutil/imgutils.h"

  21. #include "libavutil/opt.h"

  22. 

  23. #include "libavcodec/avcodec.h"

  24. #include "libavcodec/bsf_internal.h"

  25. #include "libavcodec/bytestream.h"

  26. #include "libavcodec/internal.h"

  27. 

  28. int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);

  29. 

  30. static void error(const char *err)

  31. {

  32.     fprintf(stderr, "%s", err);

  33.     exit(1);

  34. }

  35. 

  36. static AVBitStreamFilter *f = NULL;

  37. 

  38. static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;

  39. 

  40. int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

  41.     const uint64_t fuzz_tag = FUZZ_TAG;

  42.     const uint8_t *last = data;

  43.     const uint8_t *end = data + size;

  44.     AVBSFContext *bsf = NULL;

  45.     AVPacket *in, *out;

  46.     uint64_t keyframes = 0;

  47.     uint64_t flushpattern = -1;

  48.     int res;

  49. 

  50.     if (!f) {

  51. #ifdef FFMPEG_BSF

  52. #define BSF_SYMBOL0(BSF) ff_##BSF##_bsf

  53. #define BSF_SYMBOL(BSF) BSF_SYMBOL0(BSF)

  54.         extern AVBitStreamFilter BSF_SYMBOL(FFMPEG_BSF);

  55.         f = &BSF_SYMBOL(FFMPEG_BSF);

  56. #else

  57.         extern AVBitStreamFilter ff_null_bsf;

  58.         f = &ff_null_bsf;

  59. #endif

  60.         av_log_set_level(AV_LOG_PANIC);

  61.     }

  62. 

  63.     res = av_bsf_alloc(f, &bsf);

  64.     if (res < 0)

  65.         error("Failed memory allocation");

  66. 

  67.     if (size > 1024) {

  68.         GetByteContext gbc;

  69.         int extradata_size;

  70.         int flags;

  71.         size -= 1024;

  72.         bytestream2_init(&gbc, data + size, 1024);

  73.         bsf->par_in->width                      = bytestream2_get_le32(&gbc);

  74.         bsf->par_in->height                     = bytestream2_get_le32(&gbc);

  75.         bsf->par_in->bit_rate                   = bytestream2_get_le64(&gbc);

  76.         bsf->par_in->bits_per_coded_sample      = bytestream2_get_le32(&gbc);

  77. 

  78.         if (f->codec_ids) {

  79.             int i, id;

  80.             for (i = 0; f->codec_ids[i] != AV_CODEC_ID_NONE; i++);

  81.             id = f->codec_ids[bytestream2_get_byte(&gbc) % i];

  82.             bsf->par_in->codec_id = id;

  83.             bsf->par_in->codec_tag              = bytestream2_get_le32(&gbc);

  84.         }

  85. 

  86.         extradata_size = bytestream2_get_le32(&gbc);

  87. 

  88.         bsf->par_in->sample_rate                = bytestream2_get_le32(&gbc);

  89.         bsf->par_in->channels                   = (unsigned)bytestream2_get_le32(&gbc) % FF_SANE_NB_CHANNELS;

  90.         bsf->par_in->block_align                = bytestream2_get_le32(&gbc);

  91.         keyframes                               = bytestream2_get_le64(&gbc);

  92.         flushpattern                            = bytestream2_get_le64(&gbc);

  93.         flags                                   = bytestream2_get_byte(&gbc);

  94. 

  95.         if (flags & 0x20) {

  96.             if (!strcmp(f->name, "av1_metadata"))

  97.                 av_opt_set_int(bsf->priv_data, "td", bytestream2_get_byte(&gbc) % 3, 0);

  98.             else if (!strcmp(f->name, "h264_metadata") || !strcmp(f->name, "h265_metadata"))

  99.                 av_opt_set_int(bsf->priv_data, "aud", bytestream2_get_byte(&gbc) % 3, 0);

  100.             else if (!strcmp(f->name, "extract_extradata"))

  101.                 av_opt_set_int(bsf->priv_data, "remove", bytestream2_get_byte(&gbc) & 1, 0);

  102.         }

  103. 

  104.         if (extradata_size < size) {

  105.             bsf->par_in->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);

  106.             if (bsf->par_in->extradata) {

  107.                 bsf->par_in->extradata_size = extradata_size;

  108.                 size -= bsf->par_in->extradata_size;

  109.                 memcpy(bsf->par_in->extradata, data + size, bsf->par_in->extradata_size);

  110.             }

  111.         }

  112.         if (av_image_check_size(bsf->par_in->width, bsf->par_in->height, 0, bsf))

  113.             bsf->par_in->width = bsf->par_in->height = 0;

  114.     }

  115. 

  116.     res = av_bsf_init(bsf);

  117.     if (res < 0) {

  118.         av_bsf_free(&bsf);

  119.         return 0; // Failure of av_bsf_init() does not imply that a issue was found

  120.     }

  121. 

  122.     in = av_packet_alloc();

  123.     out = av_packet_alloc();

  124.     if (!in || !out)

  125.         error("Failed memory allocation");

  126. 

  127.     while (data < end) {

  128.         // Search for the TAG

  129.         while (data + sizeof(fuzz_tag) < end) {

  130.             if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)

  131.                 break;

  132.             data++;

  133.         }

  134.         if (data + sizeof(fuzz_tag) > end)

  135.             data = end;

  136. 

  137.         res = av_new_packet(in, data - last);

  138.         if (res < 0)

  139.             error("Failed memory allocation");

  140.         memcpy(in->data, last, data - last);

  141.         in->flags = (keyframes & 1) * AV_PKT_FLAG_DISCARD + (!!(keyframes & 2)) * AV_PKT_FLAG_KEY;

  142.         keyframes = (keyframes >> 2) + (keyframes<<62);

  143.         data += sizeof(fuzz_tag);

  144.         last = data;

  145. 

  146.         if (!(flushpattern & 7))

  147.             av_bsf_flush(bsf);

  148.         flushpattern = (flushpattern >> 3) + (flushpattern << 61);

  149. 

  150.         while (in->size) {

  151.             res = av_bsf_send_packet(bsf, in);

  152.             if (res < 0 && res != AVERROR(EAGAIN))

  153.                 break;

  154.             res = av_bsf_receive_packet(bsf, out);

  155.             if (res < 0)

  156.                 break;

  157.             av_packet_unref(out);

  158.         }

  159.         av_packet_unref(in);

  160.     }

  161. 

  162.     res = av_bsf_send_packet(bsf, NULL);

  163.     while (!res) {

  164.         res = av_bsf_receive_packet(bsf, out);

  165.         if (res < 0)

  166.             break;

  167.         av_packet_unref(out);

  168.     }

  169. 

  170.     av_packet_free(&in);

  171.     av_packet_free(&out);

  172.     av_bsf_free(&bsf);

  173.     return 0;

  174. }