falkTX
/
FFmpeg
mirror of https://github.com/falkTX/FFmpeg.git
1
0
Fork 0
Code Issues 0 Releases 338 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
85649 Commits
32 Branches
307MB
Tree: 9d08c7bd42
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9d08c7bd42'
${ noResults }
FFmpeg/tools/target_dec_fuzzer.c

229 lines
7.5KB
Raw Blame History 

  1. /*

  2.  * This file is part of FFmpeg.

  3.  *

  4.  * FFmpeg is free software; you can redistribute it and/or

  5.  * modify it under the terms of the GNU Lesser General Public

  6.  * License as published by the Free Software Foundation; either

  7.  * version 2.1 of the License, or (at your option) any later version.

  8.  *

  9.  * FFmpeg is distributed in the hope that it will be useful,

  10.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  12.  * Lesser General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU Lesser General Public

  15.  * License along with FFmpeg; if not, write to the Free Software

  16.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

  17.  */

  18. 

  19. /* Targeted fuzzer that targets specific codecs depending on two

  20.    compile-time flags.

  21.   INSTRUCTIONS:

  22. 

  23.   * Get the very fresh clang, e.g. see http://libfuzzer.info#versions

  24.   * Get and build libFuzzer:

  25.      svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer

  26.      ./Fuzzer/build.sh

  27.   * build ffmpeg for fuzzing:

  28.     FLAGS="-fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp -g" CC="clang $FLAGS" CXX="clang++ $FLAGS" ./configure  --disable-yasm

  29.     make clean && make -j

  30.   * build the fuzz target.

  31.     Choose the value of FFMPEG_CODEC (e.g. AV_CODEC_ID_DVD_SUBTITLE) and

  32.     choose one of FUZZ_FFMPEG_VIDEO, FUZZ_FFMPEG_AUDIO, FUZZ_FFMPEG_SUBTITLE.

  33.     clang -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp tools/target_dec_fuzzer.c -o target_dec_fuzzer -I.   -DFFMPEG_CODEC=AV_CODEC_ID_MPEG1VIDEO -DFUZZ_FFMPEG_VIDEO ../../libfuzzer/libFuzzer.a   -Llibavcodec -Llibavdevice -Llibavfilter -Llibavformat -Llibavresample -Llibavutil -Llibpostproc -Llibswscale -Llibswresample -Wl,--as-needed -Wl,-z,noexecstack -Wl,--warn-common -Wl,-rpath-link=libpostproc:libswresample:libswscale:libavfilter:libavdevice:libavformat:libavcodec:libavutil:libavresample -lavdevice -lavfilter -lavformat -lavcodec -lswresample -lswscale -lavutil -ldl -lxcb -lxcb-shm -lxcb -lxcb-xfixes  -lxcb -lxcb-shape -lxcb -lX11 -lasound -lm -lbz2 -lz -pthread

  34.   * create a corpus directory and put some samples there (empty dir is ok too):

  35.     mkdir CORPUS && cp some-files CORPUS

  36. 

  37.   * Run fuzzing:

  38.     ./target_dec_fuzzer -max_len=100000 CORPUS

  39. 

  40.    More info:

  41.    http://libfuzzer.info

  42.    http://tutorial.libfuzzer.info

  43.    https://github.com/google/oss-fuzz

  44.    http://lcamtuf.coredump.cx/afl/

  45.    https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html

  46. */

  47. 

  48. #include "config.h"

  49. #include "libavutil/avassert.h"

  50. #include "libavutil/imgutils.h"

  51. #include "libavutil/intreadwrite.h"

  52. 

  53. #include "libavcodec/avcodec.h"

  54. #include "libavcodec/bytestream.h"

  55. #include "libavformat/avformat.h"

  56. 

  57. int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);

  58. 

  59. static void error(const char *err)

  60. {

  61.     fprintf(stderr, "%s", err);

  62.     exit(1);

  63. }

  64. 

  65. static AVCodec *c = NULL;

  66. static AVCodec *AVCodecInitialize(enum AVCodecID codec_id)

  67. {

  68.     AVCodec *res;

  69.     av_register_all();

  70.     av_log_set_level(AV_LOG_PANIC);

  71.     res = avcodec_find_decoder(codec_id);

  72.     if (!res)

  73.         error("Failed to find decoder");

  74.     return res;

  75. }

  76. 

  77. #if defined(FUZZ_FFMPEG_VIDEO)

  78. #define decode_handler avcodec_decode_video2

  79. #elif defined(FUZZ_FFMPEG_AUDIO)

  80. #define decode_handler avcodec_decode_audio4

  81. #elif defined(FUZZ_FFMPEG_SUBTITLE)

  82. static int subtitle_handler(AVCodecContext *avctx, void *frame,

  83.                             int *got_sub_ptr, AVPacket *avpkt)

  84. {

  85.     AVSubtitle sub;

  86.     int ret = avcodec_decode_subtitle2(avctx, &sub, got_sub_ptr, avpkt);

  87.     if (ret >= 0 && *got_sub_ptr)

  88.         avsubtitle_free(&sub);

  89.     return ret;

  90. }

  91. 

  92. #define decode_handler subtitle_handler

  93. #else

  94. #error "Specify encoder type"  // To catch mistakes

  95. #endif

  96. 

  97. // Class to handle buffer allocation and resize for each frame

  98. typedef struct FuzzDataBuffer {

  99.     size_t size_;

  100.     uint8_t *data_;

  101. } FuzzDataBuffer;

  102. 

  103. static void FDBCreate(FuzzDataBuffer *FDB) {

  104.     FDB->size_ = 0x1000;

  105.     FDB->data_ = av_malloc(FDB->size_);

  106.     if (!FDB->data_)

  107.         error("Failed memory allocation");

  108. }

  109. 

  110. static void FDBDesroy(FuzzDataBuffer *FDB) { av_free(FDB->data_); }

  111. 

  112. static void FDBRealloc(FuzzDataBuffer *FDB, size_t size) {

  113.     size_t needed = size + FF_INPUT_BUFFER_PADDING_SIZE;

  114.     av_assert0(needed > size);

  115.     if (needed > FDB->size_) {

  116.         av_free(FDB->data_);

  117.         FDB->size_ = needed;

  118.         FDB->data_ = av_malloc(FDB->size_);

  119.         if (!FDB->data_)

  120.             error("Failed memory allocation");

  121.     }

  122. }

  123. 

  124. static void FDBPrepare(FuzzDataBuffer *FDB, AVPacket *dst, const uint8_t *data,

  125.                 size_t size)

  126. {

  127.     FDBRealloc(FDB, size);

  128.     memcpy(FDB->data_, data, size);

  129.     size_t padd = FDB->size_ - size;

  130.     if (padd > FF_INPUT_BUFFER_PADDING_SIZE)

  131.         padd = FF_INPUT_BUFFER_PADDING_SIZE;

  132.     memset(FDB->data_ + size, 0, padd);

  133.     av_init_packet(dst);

  134.     dst->data = FDB->data_;

  135.     dst->size = size;

  136. }

  137. 

  138. // Ensure we don't loop forever

  139. const uint32_t maxiteration = 8096;

  140. 

  141. static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;

  142. 

  143. int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

  144.     const uint64_t fuzz_tag = FUZZ_TAG;

  145.     FuzzDataBuffer buffer;

  146.     const uint8_t *last = data;

  147.     const uint8_t *end = data + size;

  148.     uint32_t it = 0;

  149. 

  150.     if (!c)

  151.         c = AVCodecInitialize(FFMPEG_CODEC);  // Done once.

  152. 

  153.     AVCodecContext* ctx = avcodec_alloc_context3(NULL);

  154.     if (!ctx)

  155.         error("Failed memory allocation");

  156. 

  157.     ctx->max_pixels = 4096 * 4096; //To reduce false positive OOM and hangs

  158. 

  159.     if (size > 1024) {

  160.         GetByteContext gbc;

  161.         bytestream2_init(&gbc, data + size - 1024, 1024);

  162.         ctx->width                              = bytestream2_get_le32(&gbc);

  163.         ctx->height                             = bytestream2_get_le32(&gbc);

  164.         ctx->bit_rate                           = bytestream2_get_le64(&gbc);

  165.         ctx->bits_per_coded_sample              = bytestream2_get_le32(&gbc);

  166.         if (av_image_check_size(ctx->width, ctx->height, 0, ctx))

  167.             ctx->width = ctx->height = 0;

  168.         size -= 1024;

  169.     }

  170. 

  171.     int res = avcodec_open2(ctx, c, NULL);

  172.     if (res < 0)

  173.         return res;

  174. 

  175.     FDBCreate(&buffer);

  176.     int got_frame;

  177.     AVFrame *frame = av_frame_alloc();

  178.     if (!frame)

  179.         error("Failed memory allocation");

  180. 

  181.     // Read very simple container

  182.     AVPacket avpkt;

  183.     while (data < end && it < maxiteration) {

  184.         // Search for the TAG

  185.         while (data + sizeof(fuzz_tag) < end) {

  186.             if (data[0] == (fuzz_tag & 0xFF) && AV_RN64(data) == fuzz_tag)

  187.                 break;

  188.             data++;

  189.         }

  190.         if (data + sizeof(fuzz_tag) > end)

  191.             data = end;

  192. 

  193.         FDBPrepare(&buffer, &avpkt, last, data - last);

  194.         data += sizeof(fuzz_tag);

  195.         last = data;

  196. 

  197.         // Iterate through all data

  198.         while (avpkt.size > 0 && it++ < maxiteration) {

  199.             av_frame_unref(frame);

  200.             int ret = decode_handler(ctx, frame, &got_frame, &avpkt);

  201. 

  202.             if (it > 20)

  203.                 ctx->error_concealment = 0;

  204. 

  205.             if (ret <= 0 || ret > avpkt.size)

  206.                break;

  207.             if (ctx->codec_type != AVMEDIA_TYPE_AUDIO)

  208.                 ret = avpkt.size;

  209.             avpkt.data += ret;

  210.             avpkt.size -= ret;

  211.         }

  212.     }

  213. 

  214.     av_init_packet(&avpkt);

  215.     avpkt.data = NULL;

  216.     avpkt.size = 0;

  217. 

  218.     do {

  219.         got_frame = 0;

  220.         decode_handler(ctx, frame, &got_frame, &avpkt);

  221.     } while (got_frame == 1 && it++ < maxiteration);

  222. 

  223.     av_frame_free(&frame);

  224.     avcodec_free_context(&ctx);

  225.     av_freep(&ctx);

  226.     FDBDesroy(&buffer);

  227.     return 0;

  228. }