* [FFmpeg-devel] [PR] tools/target_sws_fuzzer: add sws filters to fuzzing (PR #21601)
@ 2026-01-28 12:36 Kacper Michajłow via ffmpeg-devel
0 siblings, 0 replies; only message in thread
From: Kacper Michajłow via ffmpeg-devel @ 2026-01-28 12:36 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: Kacper Michajłow
PR #21601 opened by Kacper Michajłow (kasper93)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21601
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21601.patch
From cc99f1a3d1db2b1823c65ac9b941994356c7e456 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Wed, 28 Jan 2026 13:20:31 +0100
Subject: [PATCH 1/2] tools/target_sws_fuzzer: don't zero init dest buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Destination is destination and should be initialized by the sws itself.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
tools/target_sws_fuzzer.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/target_sws_fuzzer.c b/tools/target_sws_fuzzer.c
index 0e14adb1be..2aca0f3254 100644
--- a/tools/target_sws_fuzzer.c
+++ b/tools/target_sws_fuzzer.c
@@ -40,7 +40,7 @@ static void error(const char *err)
exit(1);
}
-static int alloc_plane(uint8_t *data[AV_VIDEO_MAX_PLANES], int stride[AV_VIDEO_MAX_PLANES], int w, int h, int format, int *hshift, int *vshift)
+static int alloc_plane(uint8_t *data[AV_VIDEO_MAX_PLANES], int stride[AV_VIDEO_MAX_PLANES], int w, int h, int format, int *hshift, int *vshift, int zero_init)
{
size_t size[AV_VIDEO_MAX_PLANES];
ptrdiff_t ptrdiff_stride[AV_VIDEO_MAX_PLANES];
@@ -62,7 +62,7 @@ static int alloc_plane(uint8_t *data[AV_VIDEO_MAX_PLANES], int stride[AV_VIDEO_M
for(int p=0; p<AV_VIDEO_MAX_PLANES; p++) {
if (size[p]) {
- data[p] = av_mallocz(size[p] + 32);
+ data[p] = zero_init ? av_mallocz(size[p] + 32) : av_malloc(size[p] + 32);
if (!data[p])
return -1;
} else
@@ -153,11 +153,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
// fprintf(stderr, "%d x %d %s -> %d x %d %s\n", srcW, srcH, desc_src->name, dstW, dstH, desc_dst->name);
- ret = alloc_plane(src, srcStride, srcW, srcH, srcFormat, &srcHShift, &srcVShift);
+ ret = alloc_plane(src, srcStride, srcW, srcH, srcFormat, &srcHShift, &srcVShift, 1);
if (ret < 0)
goto end;
- ret = alloc_plane(dst, dstStride, dstW, dstH, dstFormat, &dstHShift, &dstVShift);
+ ret = alloc_plane(dst, dstStride, dstW, dstH, dstFormat, &dstHShift, &dstVShift, 0);
if (ret < 0)
goto end;
--
2.52.0
From 329f6b8f01582390896abac55eacf21758256fc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kacper=20Michaj=C5=82ow?= <kasper93@gmail.com>
Date: Wed, 28 Jan 2026 13:22:50 +0100
Subject: [PATCH 2/2] tools/target_sws_fuzzer: add sws filters to fuzzing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Recent regression in commit 795bb37a39e163cbb5b6d897ebb0ca90ea7b449a
that skipped clearing some internal buffers, caused pretty significant
security implications:
478212631/clusterfuzz-testcase-minimized-fuzzer_set_property_MPV_FORMAT_STRING_1-5143269947539456
478212631/clusterfuzz-testcase-minimized-fuzzer_set_property_MPV_FORMAT_STRING_1-5389230846312448
478212631/clusterfuzz-testcase-minimized-fuzzer_set_property_MPV_FORMAT_STRING_1-4732512093143040
478212631/clusterfuzz-testcase-minimized-fuzzer_set_property_MPV_FORMAT_STRING_1-4791771971518464
478212631/clusterfuzz-testcase-minimized-fuzzer_set_property_MPV_FORMAT_STRING_1-6030282833854464
478301104/clusterfuzz-testcase-minimized-fuzzer_set_property_MPV_FORMAT_STRING_1-5053287094353920
Found-by: https://github.com/google/oss-fuzz/tree/master/projects/mpv
None of which were found by FFmpeg's fuzzing infrastructure, so update
the SWS fuzzer to account for that.
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
---
tools/target_sws_fuzzer.c | 37 ++++++++++++++++++++++++++++++++++++-
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/tools/target_sws_fuzzer.c b/tools/target_sws_fuzzer.c
index 2aca0f3254..4a0b639526 100644
--- a/tools/target_sws_fuzzer.c
+++ b/tools/target_sws_fuzzer.c
@@ -102,6 +102,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
uint8_t *dst[AV_VIDEO_MAX_PLANES] = { 0 };
struct SwsContext *sws = NULL;
const AVPixFmtDescriptor *desc_src, *desc_dst;
+ SwsFilter *src_filter = NULL;
+ SwsFilter *dst_filter = NULL;
+ int use_filter = 0;
+ float filter_luma_gblur = 0, filter_chroma_gblur = 0;
+ float filter_luma_sharpen = 0, filter_chroma_sharpen = 0;
+ float filter_chroma_hshift = 0, filter_chroma_vshift = 0;
if (size > 128) {
GetByteContext gbc;
@@ -141,6 +147,24 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (flags64 & 0x10)
av_force_cpu_flags(0);
+ use_filter = flags64 & 0x20;
+ if (use_filter) {
+ const uint32_t param_max = 0xFF;
+ uint32_t luma_gblur = bytestream2_get_le32(&gbc) % param_max;
+ uint32_t chroma_gblur = bytestream2_get_le32(&gbc) % param_max;
+ uint32_t luma_sharpen = bytestream2_get_le32(&gbc) % param_max;
+ uint32_t chroma_sharpen = bytestream2_get_le32(&gbc) % param_max;
+ uint32_t chroma_hshift = bytestream2_get_le32(&gbc) % param_max;
+ uint32_t chroma_vshift = bytestream2_get_le32(&gbc) % param_max;
+
+ filter_luma_gblur = (float)luma_gblur / param_max * 200.0f - 100.0f;
+ filter_chroma_gblur = (float)chroma_gblur / param_max * 200.0f - 100.0f;
+ filter_luma_sharpen = (float)luma_sharpen / param_max * 200.0f - 100.0f;
+ filter_chroma_sharpen = (float)chroma_sharpen / param_max * 200.0f - 100.0f;
+ filter_chroma_hshift = (float)chroma_hshift / param_max * 200.0f - 100.0f;
+ filter_chroma_vshift = (float)chroma_vshift / param_max * 200.0f - 100.0f;
+ }
+
if (av_image_check_size(srcW, srcH, srcFormat, NULL) < 0)
srcW = srcH = 23;
if (av_image_check_size(dstW, dstH, dstFormat, NULL) < 0)
@@ -186,7 +210,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
av_opt_set_int(sws, "dst_format", dstFormat, 0);
av_opt_set(sws, "alphablend", "none", 0);
- ret = sws_init_context(sws, NULL, NULL);
+ if (use_filter) {
+ src_filter = sws_getDefaultFilter(filter_luma_gblur, filter_chroma_gblur,
+ filter_luma_sharpen, filter_chroma_sharpen,
+ filter_chroma_hshift, filter_chroma_vshift, 0);
+ dst_filter = sws_getDefaultFilter(filter_luma_gblur, filter_chroma_gblur,
+ filter_luma_sharpen, filter_chroma_sharpen,
+ filter_chroma_hshift, filter_chroma_vshift, 0);
+ }
+
+ ret = sws_init_context(sws, src_filter, dst_filter);
if (ret < 0)
goto end;
@@ -194,6 +227,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
sws_scale(sws, (const uint8_t * const*)src, srcStride, 0, srcH, dst, dstStride);
end:
+ sws_freeFilter(dst_filter);
+ sws_freeFilter(src_filter);
sws_freeContext(sws);
free_plane(src);
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-28 12:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-28 12:36 [FFmpeg-devel] [PR] tools/target_sws_fuzzer: add sws filters to fuzzing (PR #21601) Kacper Michajłow via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git