* [FFmpeg-devel] [PATCH] tools/target_dec_fuzzer: add a custom get_buffer2() implementation
@ 2022-05-31 20:12 James Almer
2022-05-31 20:42 ` [FFmpeg-devel] [PATCH v2] " James Almer
0 siblings, 1 reply; 3+ messages in thread
From: James Almer @ 2022-05-31 20:12 UTC (permalink / raw)
To: ffmpeg-devel
Unlike avcodec_default_get_buffer2(), this version does not allocate more than
what the normal image helper functions consider should be allocated for a given
frame.
Since the get_buffer2() documentation does not require any kind of buffer
overallocation for any of the planes, this should help detect bugs in our DR1
decoders if they overread beyond the end of the buffer, simulating what some
library users might experience when they use their own custom get_buffer2()
implementations.
Signed-off-by: James Almer <jamrial@gmail.com>
---
Untested.
The get_buffer2() documentation does not enfore the usage of
avcodec_align_dimensions2(), only says it "should" be used for DR1 decoders.
I figure not using it would break a bunch of decoders, but i can't be sure.
And i did not bother writing a buffer pool for this. I assume it will not
affect performance to the point ossfuzz start reporting bogus timeouts.
Signed-off-by: James Almer <jamrial@gmail.com>
---
tools/target_dec_fuzzer.c | 50 +++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 288aa63313..b951921265 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -104,6 +104,55 @@ const uint32_t maxiteration = 8096;
static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
+static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
+{
+ ptrdiff_t linesize1[4];
+ size_t size[4];
+ int linesize_align[AV_NUM_DATA_POINTERS];
+ int ret, w = frame->width, h = frame->height;
+
+ avcodec_align_dimensions2(ctx, &w, &h, linesize_align);
+ ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w);
+ if (ret < 0)
+ return ret;
+
+ for (int i = 0; i < 4; i++)
+ linesize1[i] = frame->linesize[i] =
+ FFALIGN(frame->linesize[i], linesize_align[i]);
+
+ ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1);
+ if (ret < 0)
+ goto fail;
+
+ for (int i = 0; i < 4; i++) {
+ frame->buf[i] = av_buffer_alloc(size[i]);
+ if (!frame->buf[i]) {
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
+ frame->data[i] = frame->buf[i]->data;
+ }
+
+fail:
+ if (ret < 0)
+ av_frame_unref(frame);
+ return ret;
+}
+
+static int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags)
+{
+ switch (ctx->codec_type) {
+ case AVMEDIA_TYPE_VIDEO:
+ return (ctx->codec->capabilities & AV_CODEC_CAP_DR1)
+ ? fuzz_video_get_buffer(ctx, frame)
+ : avcodec_default_get_buffer2(ctx, frame, flags);
+ case AVMEDIA_TYPE_AUDIO:
+ return avcodec_default_get_buffer2(ctx, frame, flags);
+ default:
+ return AVERROR(EINVAL);
+ }
+}
+
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
uint64_t maxpixels_per_frame = 4096 * 4096;
uint64_t maxpixels;
@@ -241,6 +290,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
ctx->max_samples = maxsamples_per_frame;
+ ctx->get_buffer2 = fuzz_get_buffer2;
if (size > 1024) {
GetByteContext gbc;
--
2.36.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread* [FFmpeg-devel] [PATCH v2] tools/target_dec_fuzzer: add a custom get_buffer2() implementation
2022-05-31 20:12 [FFmpeg-devel] [PATCH] tools/target_dec_fuzzer: add a custom get_buffer2() implementation James Almer
@ 2022-05-31 20:42 ` James Almer
2022-06-05 12:17 ` James Almer
0 siblings, 1 reply; 3+ messages in thread
From: James Almer @ 2022-05-31 20:42 UTC (permalink / raw)
To: ffmpeg-devel
Unlike avcodec_default_get_buffer2(), this version does not allocate more than
what the normal image helper functions consider should be allocated for a given
frame.
Since the get_buffer2() documentation does not require any kind of buffer
overallocation for any of the planes, this should help detect bugs in our DR1
decoders if they overread beyond the end of the buffer, simulating what some
library users might experience when they use their own custom get_buffer2()
implementations.
Signed-off-by: James Almer <jamrial@gmail.com>
---
Now making sure to not allocate more plane buffers than needed.
tools/target_dec_fuzzer.c | 52 +++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 288aa63313..2e43ed3d88 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -104,6 +104,57 @@ const uint32_t maxiteration = 8096;
static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
+static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
+{
+ ptrdiff_t linesize1[4];
+ size_t size[4];
+ int linesize_align[AV_NUM_DATA_POINTERS];
+ int ret, w = frame->width, h = frame->height;
+
+ avcodec_align_dimensions2(ctx, &w, &h, linesize_align);
+ ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w);
+ if (ret < 0)
+ return ret;
+
+ for (int i = 0; i < 4; i++)
+ linesize1[i] = frame->linesize[i] =
+ FFALIGN(frame->linesize[i], linesize_align[i]);
+
+ ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1);
+ if (ret < 0)
+ goto fail;
+
+ for (int i = 0; i < 4; i++) {
+ if (!size[i])
+ break;
+ frame->buf[i] = av_buffer_alloc(size[i]);
+ if (!frame->buf[i]) {
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
+ frame->data[i] = frame->buf[i]->data;
+ }
+
+fail:
+ if (ret < 0)
+ av_frame_unref(frame);
+ return ret;
+}
+
+static int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags)
+{
+ switch (ctx->codec_type) {
+ case AVMEDIA_TYPE_VIDEO:
+ return (ctx->codec->capabilities & AV_CODEC_CAP_DR1)
+ ? fuzz_video_get_buffer(ctx, frame)
+ : avcodec_default_get_buffer2(ctx, frame, flags);
+ case AVMEDIA_TYPE_AUDIO:
+ return avcodec_default_get_buffer2(ctx, frame, flags);
+ default:
+ return AVERROR(EINVAL);
+ }
+}
+
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
uint64_t maxpixels_per_frame = 4096 * 4096;
uint64_t maxpixels;
@@ -241,6 +292,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
ctx->max_samples = maxsamples_per_frame;
+ ctx->get_buffer2 = fuzz_get_buffer2;
if (size > 1024) {
GetByteContext gbc;
--
2.36.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [FFmpeg-devel] [PATCH v2] tools/target_dec_fuzzer: add a custom get_buffer2() implementation
2022-05-31 20:42 ` [FFmpeg-devel] [PATCH v2] " James Almer
@ 2022-06-05 12:17 ` James Almer
0 siblings, 0 replies; 3+ messages in thread
From: James Almer @ 2022-06-05 12:17 UTC (permalink / raw)
To: ffmpeg-devel
On 5/31/2022 5:42 PM, James Almer wrote:
> Unlike avcodec_default_get_buffer2(), this version does not allocate more than
> what the normal image helper functions consider should be allocated for a given
> frame.
> Since the get_buffer2() documentation does not require any kind of buffer
> overallocation for any of the planes, this should help detect bugs in our DR1
> decoders if they overread beyond the end of the buffer, simulating what some
> library users might experience when they use their own custom get_buffer2()
> implementations.
>
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
> Now making sure to not allocate more plane buffers than needed.
>
> tools/target_dec_fuzzer.c | 52 +++++++++++++++++++++++++++++++++++++++
> 1 file changed, 52 insertions(+)
>
> diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
> index 288aa63313..2e43ed3d88 100644
> --- a/tools/target_dec_fuzzer.c
> +++ b/tools/target_dec_fuzzer.c
> @@ -104,6 +104,57 @@ const uint32_t maxiteration = 8096;
>
> static const uint64_t FUZZ_TAG = 0x4741542D5A5A5546ULL;
>
> +static int fuzz_video_get_buffer(AVCodecContext *ctx, AVFrame *frame)
> +{
> + ptrdiff_t linesize1[4];
> + size_t size[4];
> + int linesize_align[AV_NUM_DATA_POINTERS];
> + int ret, w = frame->width, h = frame->height;
> +
> + avcodec_align_dimensions2(ctx, &w, &h, linesize_align);
> + ret = av_image_fill_linesizes(frame->linesize, ctx->pix_fmt, w);
> + if (ret < 0)
> + return ret;
> +
> + for (int i = 0; i < 4; i++)
> + linesize1[i] = frame->linesize[i] =
> + FFALIGN(frame->linesize[i], linesize_align[i]);
> +
> + ret = av_image_fill_plane_sizes(size, ctx->pix_fmt, h, linesize1);
> + if (ret < 0)
> + goto fail;
> +
> + for (int i = 0; i < 4; i++) {
> + if (!size[i])
> + break;
> + frame->buf[i] = av_buffer_alloc(size[i]);
> + if (!frame->buf[i]) {
> + ret = AVERROR(ENOMEM);
> + goto fail;
> + }
> + frame->data[i] = frame->buf[i]->data;
> + }
> +
> +fail:
> + if (ret < 0)
> + av_frame_unref(frame);
> + return ret;
> +}
> +
> +static int fuzz_get_buffer2(AVCodecContext *ctx, AVFrame *frame, int flags)
> +{
> + switch (ctx->codec_type) {
> + case AVMEDIA_TYPE_VIDEO:
> + return (ctx->codec->capabilities & AV_CODEC_CAP_DR1)
> + ? fuzz_video_get_buffer(ctx, frame)
> + : avcodec_default_get_buffer2(ctx, frame, flags);
> + case AVMEDIA_TYPE_AUDIO:
> + return avcodec_default_get_buffer2(ctx, frame, flags);
> + default:
> + return AVERROR(EINVAL);
> + }
> +}
> +
> int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> uint64_t maxpixels_per_frame = 4096 * 4096;
> uint64_t maxpixels;
> @@ -241,6 +292,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
> ctx->max_pixels = maxpixels_per_frame; //To reduce false positive OOM and hangs
>
> ctx->max_samples = maxsamples_per_frame;
> + ctx->get_buffer2 = fuzz_get_buffer2;
>
> if (size > 1024) {
> GetByteContext gbc;
Will push soon if nobody objects.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-06-05 12:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-31 20:12 [FFmpeg-devel] [PATCH] tools/target_dec_fuzzer: add a custom get_buffer2() implementation James Almer
2022-05-31 20:42 ` [FFmpeg-devel] [PATCH v2] " James Almer
2022-06-05 12:17 ` James Almer
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git